GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

OPEN - issue SEC-966: Consider adding escapeXml attribute to security:authentication 

http://jira.springframework.org/browse/SEC-966.  Added escaping of rendered text as default.
2.0.x
Luke Taylor 18 years ago
parent
a4e4120443
commit
d781deffe7
2 changed files with 12 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      core/src/main/java/org/springframework/security/util/TextUtils.java
  2. 5
      taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java

14
core/src/main/java/org/springframework/security/util/TextUtils.java
Unescape View File

@ -2,18 +2,22 @@ package org.springframework.security.util; @@ -2,18 +2,22 @@ package org.springframework.security.util;
/**
* Utilities for working with Strings and text.
*
*
* @author Luke Taylor
* @version $Id$
*/
public abstract class TextUtils {
public static String escapeEntities(String s) {
if (s == null || s.length() == 0) {
return s;
}
StringBuffer sb = new StringBuffer();
for (int i=0; i < s.length(); i++) {
char c = s.charAt(i);
if(c == '<') {
sb.append("&lt;");
} else if (c == '>') {
@ -26,8 +30,8 @@ public abstract class TextUtils { @@ -26,8 +30,8 @@ public abstract class TextUtils {
sb.append(c);
}
}
return sb.toString();
}
}

5
taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
Unescape View File

@ -19,6 +19,7 @@ import org.springframework.security.Authentication; @@ -19,6 +19,7 @@ import org.springframework.security.Authentication;
import org.springframework.security.context.SecurityContext;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.util.TextUtils;
import org.springframework.beans.BeanWrapperImpl;
import org.springframework.beans.BeansException;
@ -94,7 +95,7 @@ public class AuthenticationTag extends TagSupport { @@ -94,7 +95,7 @@ public class AuthenticationTag extends TagSupport {
if (auth.getPrincipal() == null) {
return Tag.EVAL_PAGE;
}
try {
BeanWrapperImpl wrapper = new BeanWrapperImpl(auth);
result = wrapper.getPropertyValue(property);
@ -120,7 +121,7 @@ public class AuthenticationTag extends TagSupport { @@ -120,7 +121,7 @@ public class AuthenticationTag extends TagSupport {
}
}
} else {
writeMessage(String.valueOf(result));
writeMessage(TextUtils.escapeEntities(String.valueOf(result)));
}
return EVAL_PAGE;
}

Write Preview
Loading…
Cancel
Save