Spring/spring-boot
Spring/spring-boot
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-boot.git synced 2024-09-03 04:26:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Escape strings in whitelabel error page (HTML)

Browse Source
This commit is contained in:
Dave Syer 2014-10-09 16:10:57 +01:00
parent 6a503d5ca9
commit 3135c7f8ae
2 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration.java
View File

@ -52,9 +52,11 @@ import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.util.PropertyPlaceholderHelper;
import org.springframework.util.PropertyPlaceholderHelper.PlaceholderResolver;
import org.springframework.web.bind.ServletRequestUtils;
import org.springframework.web.servlet.DispatcherServlet;
import org.springframework.web.servlet.View;
import org.springframework.web.servlet.view.BeanNameViewResolver;
import org.springframework.web.util.HtmlUtils;
/**
* {@link EnableAutoConfiguration Auto-configuration} to render errors via a MVC error
@ -173,7 +175,7 @@ public class ErrorMvcAutoConfiguration implements EmbeddedServletContainerCustom
Expression expression = SpelView.this.parser.parseExpression(name);
try {
Object value = expression.getValue(SpelView.this.context);
return (value == null ? null : value.toString());
return (value == null ? null : HtmlUtils.htmlEscape(value.toString()));
}
catch (Exception ex) {
return null;

24
spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/DefaultErrorViewIntegrationTests.java
View File

@ -16,6 +16,10 @@
package org.springframework.boot.autoconfigure.web;
import static org.junit.Assert.assertTrue;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
@ -41,10 +45,6 @@ import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import static org.junit.Assert.assertTrue;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author Dave Syer
*/
@ -74,6 +74,22 @@ public class DefaultErrorViewIntegrationTests {
assertTrue("Wrong content: " + content, content.contains("999"));
}
@Test
public void testErrorWithEscape() throws Exception {
MvcResult response = this.mockMvc
.perform(
get("/error").requestAttr(
"javax.servlet.error.exception",
new RuntimeException(
"<script>alert('Hello World')</script>")).accept(
MediaType.TEXT_HTML)).andExpect(status().isOk())
.andReturn();
String content = response.getResponse().getContentAsString();
assertTrue("Wrong content: " + content, content.contains("&lt;script&gt;"));
assertTrue("Wrong content: " + content, content.contains("Hello World"));
assertTrue("Wrong content: " + content, content.contains("999"));
}
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented