Escape strings in whitelabel error page (HTML)

pull/2035/head
Dave Syer 10 years ago
parent 6a503d5ca9
commit 3135c7f8ae

@ -52,9 +52,11 @@ import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext; import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.util.PropertyPlaceholderHelper; import org.springframework.util.PropertyPlaceholderHelper;
import org.springframework.util.PropertyPlaceholderHelper.PlaceholderResolver; import org.springframework.util.PropertyPlaceholderHelper.PlaceholderResolver;
import org.springframework.web.bind.ServletRequestUtils;
import org.springframework.web.servlet.DispatcherServlet; import org.springframework.web.servlet.DispatcherServlet;
import org.springframework.web.servlet.View; import org.springframework.web.servlet.View;
import org.springframework.web.servlet.view.BeanNameViewResolver; import org.springframework.web.servlet.view.BeanNameViewResolver;
import org.springframework.web.util.HtmlUtils;
/** /**
* {@link EnableAutoConfiguration Auto-configuration} to render errors via a MVC error * {@link EnableAutoConfiguration Auto-configuration} to render errors via a MVC error
@ -173,7 +175,7 @@ public class ErrorMvcAutoConfiguration implements EmbeddedServletContainerCustom
Expression expression = SpelView.this.parser.parseExpression(name); Expression expression = SpelView.this.parser.parseExpression(name);
try { try {
Object value = expression.getValue(SpelView.this.context); Object value = expression.getValue(SpelView.this.context);
return (value == null ? null : value.toString()); return (value == null ? null : HtmlUtils.htmlEscape(value.toString()));
} }
catch (Exception ex) { catch (Exception ex) {
return null; return null;

@ -16,6 +16,10 @@
package org.springframework.boot.autoconfigure.web; package org.springframework.boot.autoconfigure.web;
import static org.junit.Assert.assertTrue;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import java.lang.annotation.Documented; import java.lang.annotation.Documented;
import java.lang.annotation.ElementType; import java.lang.annotation.ElementType;
import java.lang.annotation.Retention; import java.lang.annotation.Retention;
@ -41,10 +45,6 @@ import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.setup.MockMvcBuilders; import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext; import org.springframework.web.context.WebApplicationContext;
import static org.junit.Assert.assertTrue;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/** /**
* @author Dave Syer * @author Dave Syer
*/ */
@ -74,6 +74,22 @@ public class DefaultErrorViewIntegrationTests {
assertTrue("Wrong content: " + content, content.contains("999")); assertTrue("Wrong content: " + content, content.contains("999"));
} }
@Test
public void testErrorWithEscape() throws Exception {
MvcResult response = this.mockMvc
.perform(
get("/error").requestAttr(
"javax.servlet.error.exception",
new RuntimeException(
"<script>alert('Hello World')</script>")).accept(
MediaType.TEXT_HTML)).andExpect(status().isOk())
.andReturn();
String content = response.getResponse().getContentAsString();
assertTrue("Wrong content: " + content, content.contains("&lt;script&gt;"));
assertTrue("Wrong content: " + content, content.contains("Hello World"));
assertTrue("Wrong content: " + content, content.contains("999"));
}
@Target(ElementType.TYPE) @Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME) @Retention(RetentionPolicy.RUNTIME)
@Documented @Documented

Loading…
Cancel
Save