OPEN - issue SEC-966: Consider adding escapeXml attribute to security:authentication

http://jira.springframework.org/browse/SEC-966. Added escaping of rendered text as default.
18 years ago · d781deffe7
2 changed files with 12 additions and 7 deletions
--- a/core/src/main/java/org/springframework/security/util/TextUtils.java
+++ b/core/src/main/java/org/springframework/security/util/TextUtils.java
@ -9,6 +9,10 @@ package org.springframework.security.util;
				@@ -9,6 +9,10 @@ package org.springframework.security.util;
 public abstract class TextUtils {

    public static String escapeEntities(String s) {
+        if (s == null || s.length() == 0) {
+            return s;
+        }
+
        StringBuffer sb = new StringBuffer();

        for (int i=0; i < s.length(); i++) {
--- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
@ -19,6 +19,7 @@ import org.springframework.security.Authentication;
				@@ -19,6 +19,7 @@ import org.springframework.security.Authentication;

 import org.springframework.security.context.SecurityContext;
 import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.util.TextUtils;

 import org.springframework.beans.BeanWrapperImpl;
 import org.springframework.beans.BeansException;
@ -120,7 +121,7 @@ public class AuthenticationTag extends TagSupport {
				@@ -120,7 +121,7 @@ public class AuthenticationTag extends TagSupport {
                }
            }
        } else {
-            writeMessage(String.valueOf(result));
+            writeMessage(TextUtils.escapeEntities(String.valueOf(result)));
        }
        return EVAL_PAGE;
    }