diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/result/view/script/ScriptTemplateView.java b/spring-webflux/src/main/java/org/springframework/web/reactive/result/view/script/ScriptTemplateView.java index cde00f693e0..5f60826221d 100644 --- a/spring-webflux/src/main/java/org/springframework/web/reactive/result/view/script/ScriptTemplateView.java +++ b/spring-webflux/src/main/java/org/springframework/web/reactive/result/view/script/ScriptTemplateView.java @@ -47,6 +47,7 @@ import org.springframework.util.Assert; import org.springframework.util.FileCopyUtils; import org.springframework.util.ObjectUtils; import org.springframework.util.StringUtils; +import org.springframework.web.reactive.resource.ResourceHandlerUtils; import org.springframework.web.reactive.result.view.AbstractUrlBasedView; import org.springframework.web.server.ServerWebExchange; @@ -292,11 +293,26 @@ public class ScriptTemplateView extends AbstractUrlBasedView { } protected @Nullable Resource getResource(String location) { - if (this.resourceLoaderPaths != null) { + String normalizedLocation = ResourceHandlerUtils.normalizeInputPath(location); + if (this.resourceLoaderPaths != null && !ResourceHandlerUtils.shouldIgnoreInputPath(normalizedLocation)) { + ApplicationContext context = obtainApplicationContext(); for (String path : this.resourceLoaderPaths) { - Resource resource = obtainApplicationContext().getResource(path + location); - if (resource.exists()) { - return resource; + Resource resource = context.getResource(path + normalizedLocation); + try { + if (resource.exists() && ResourceHandlerUtils.isResourceUnderLocation(context.getResource(path), resource)) { + return resource; + } + } + catch (IOException ex) { + if (logger.isDebugEnabled()) { + String error = "Skip location [" + normalizedLocation + "] due to error"; + if (logger.isTraceEnabled()) { + logger.trace(error, ex); + } + else { + logger.debug(error + ": " + ex.getMessage()); + } + } } } } diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/script/ScriptTemplateView.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/script/ScriptTemplateView.java index 17fd8a1c66e..d5a90647e63 100644 --- a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/script/ScriptTemplateView.java +++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/script/ScriptTemplateView.java @@ -51,6 +51,7 @@ import org.springframework.util.Assert; import org.springframework.util.FileCopyUtils; import org.springframework.util.ObjectUtils; import org.springframework.util.StringUtils; +import org.springframework.web.servlet.resource.ResourceHandlerUtils; import org.springframework.web.servlet.support.RequestContextUtils; import org.springframework.web.servlet.view.AbstractUrlBasedView; @@ -336,11 +337,26 @@ public class ScriptTemplateView extends AbstractUrlBasedView { } protected @Nullable Resource getResource(String location) { - if (this.resourceLoaderPaths != null) { + String normalizedLocation = ResourceHandlerUtils.normalizeInputPath(location); + if (this.resourceLoaderPaths != null && !ResourceHandlerUtils.shouldIgnoreInputPath(normalizedLocation)) { + ApplicationContext context = obtainApplicationContext(); for (String path : this.resourceLoaderPaths) { - Resource resource = obtainApplicationContext().getResource(path + location); - if (resource.exists()) { - return resource; + Resource resource = context.getResource(path + normalizedLocation); + try { + if (resource.exists() && ResourceHandlerUtils.isResourceUnderLocation(context.getResource(path), resource)) { + return resource; + } + } + catch (IOException ex) { + if (logger.isDebugEnabled()) { + String error = "Skip location [" + normalizedLocation + "] due to error"; + if (logger.isTraceEnabled()) { + logger.trace(error, ex); + } + else { + logger.debug(error + ": " + ex.getMessage()); + } + } } } }