Use response encoding when escaping HTML

With SPR-9293, it is now possible to HTML escape text while taking into
account the current response encoding. When using UTF-* encodings, only
XML markup significant characters are escaped, since UTF-* natively
support those characters.

This commit adds a new servlet context parameter to enable this fix by
default in a Spring MVC application:

    <context-param>
      <param-name>responseEncodedHtmlEscape</param-name>
      <param-value>true</param-value>
    </context-param>

Issue: SPR-12350, SPR-12132
This commit is contained in:
Brian Clozel
2014-10-24 11:46:09 +02:00
parent 73e398a165
commit a0c210457b
9 changed files with 124 additions and 17 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2013 the original author or authors.
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ import org.springframework.context.support.DefaultMessageSourceResolvable;
import org.springframework.web.context.ConfigurableWebApplicationContext;
import org.springframework.web.servlet.support.RequestContext;
import org.springframework.web.servlet.support.RequestContextUtils;
import org.springframework.web.util.WebUtils;
/**
* Tests for {@link MessageTag}.
@@ -266,11 +267,31 @@ public class MessageTagTests extends AbstractTagTests {
}
};
tag.setPageContext(pc);
tag.setText("test & text");
tag.setText("test & text é");
tag.setHtmlEscape(true);
assertTrue("Correct doStartTag return value", tag.doStartTag() == Tag.EVAL_BODY_INCLUDE);
assertEquals("Correct doEndTag return value", Tag.EVAL_PAGE, tag.doEndTag());
assertEquals("Correct message", "test &amp; text", message.toString());
assertEquals("Correct message", "test &amp; text &eacute;", message.toString());
}
@SuppressWarnings("serial")
public void testMessageTagWithTextEncodingEscaped() throws JspException {
PageContext pc = createPageContext();
pc.getServletContext().setInitParameter(WebUtils.RESPONSE_ENCODED_HTML_ESCAPE_CONTEXT_PARAM, "true");
pc.getResponse().setCharacterEncoding("UTF-8");
final StringBuffer message = new StringBuffer();
MessageTag tag = new MessageTag() {
@Override
protected void writeMessage(String msg) {
message.append(msg);
}
};
tag.setPageContext(pc);
tag.setText("test <&> é");
tag.setHtmlEscape(true);
assertTrue("Correct doStartTag return value", tag.doStartTag() == Tag.EVAL_BODY_INCLUDE);
assertEquals("Correct doEndTag return value", Tag.EVAL_PAGE, tag.doEndTag());
assertEquals("Correct message", "test &lt;&amp;&gt; é", message.toString());
}
@SuppressWarnings("serial")