Escape strings in whitelabel error page (HTML)

10 years ago · 3135c7f8ae
parent 6a503d5ca9
commit 3135c7f8ae
2 changed files with 23 additions and 5 deletions
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration.java
@ -52,9 +52,11 @@ import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.util.PropertyPlaceholderHelper;
 import org.springframework.util.PropertyPlaceholderHelper.PlaceholderResolver;
+import org.springframework.web.bind.ServletRequestUtils;
 import org.springframework.web.servlet.DispatcherServlet;
 import org.springframework.web.servlet.View;
 import org.springframework.web.servlet.view.BeanNameViewResolver;
+import org.springframework.web.util.HtmlUtils;

 /**
 * {@link EnableAutoConfiguration Auto-configuration} to render errors via a MVC error
@ -173,7 +175,7 @@ public class ErrorMvcAutoConfiguration implements EmbeddedServletContainerCustom
 					Expression expression = SpelView.this.parser.parseExpression(name);
 					try {
 						Object value = expression.getValue(SpelView.this.context);
-						return (value == null ? null : value.toString());
+						return (value == null ? null : HtmlUtils.htmlEscape(value.toString()));
 					}
 					catch (Exception ex) {
 						return null;
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/DefaultErrorViewIntegrationTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/DefaultErrorViewIntegrationTests.java
@ -16,6 +16,10 @@

 package org.springframework.boot.autoconfigure.web;

+import static org.junit.Assert.assertTrue;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
 import java.lang.annotation.Documented;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
@ -41,10 +45,6 @@ import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;

-import static org.junit.Assert.assertTrue;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
 /**
 * @author Dave Syer
 */
@ -74,6 +74,22 @@ public class DefaultErrorViewIntegrationTests {
 		assertTrue("Wrong content: " + content, content.contains("999"));
 	}

+	@Test
+	public void testErrorWithEscape() throws Exception {
+		MvcResult response = this.mockMvc
+				.perform(
+						get("/error").requestAttr(
+								"javax.servlet.error.exception",
+								new RuntimeException(
+										"<script>alert('Hello World')</script>")).accept(
+								MediaType.TEXT_HTML)).andExpect(status().isOk())
+				.andReturn();
+		String content = response.getResponse().getContentAsString();
+		assertTrue("Wrong content: " + content, content.contains("&lt;script&gt;"));
+		assertTrue("Wrong content: " + content, content.contains("Hello World"));
+		assertTrue("Wrong content: " + content, content.contains("999"));
+	}
+
 	@Target(ElementType.TYPE)
 	@Retention(RetentionPolicy.RUNTIME)
 	@Documented