先说一下结论:
处于性能消耗考虑,需要替换的文本如果是正则表达式,就用String::replaceAll,如果是一般字符串,就用String::replace

例子:

public static String decodeXSS(String value) {
    if (!StringUtils.isEmpty(value)) {
        value = value.replaceAll("&lt;", "<")
                .replaceAll("&gt;", ">")
                .replaceAll("&quot;", "\"")
                .replaceAll("&amp;", "&")
                .replaceAll("&#10;", "\n")
                .replaceAll("&#9;", "\t")
                .replaceAll("&#37;", ";")
                .replaceAll("&#39;", "'")
                .replaceAll("&#40;", "\\(")
                .replaceAll("&#41;", "\\)");
    }
    return value;
}

以上方法存在一些问题:
The underlying implementation of String::replaceAll calls the java.util.regex.Pattern.compile() method each time it is called even if the first argument is not a regular expression. This has a significant performance cost and therefore should be used with care.
When String::replaceAll is used, the first argument should be a real regular expression. If it’s not the case, String::replace does exactly the same thing as String::replaceAll without the performance drawback of the regex.
This rule raises an issue for each String::replaceAll used with a String as first parameter which doesn’t contains special regex character or pattern.

String::replaceAll 的底层实现导致每次调用时都会调用 java.util.regex.Pattern.compile()方法,即使第一个参数不是正则表达式也是如此,会带来较大的性能消耗。
当使用 String::replaceAll 时,第一个参数应该是真正的正则表达式。否则String::replaceString::replaceAll 完全相同,而没有正则表达式的性能缺陷。

因此以上方法中的String::replaceAll都应该替换成为String::replace

标签: none

添加新评论