Escape strings in whitelabel error page (HTML)

Dave Syer · Dave Syer · commit 3135c7f8aeb3 · 2014-10-09T16:10:57.000+01:00
diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration.java
@@ -52,9 +52,11 @@
 import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.util.PropertyPlaceholderHelper;
 import org.springframework.util.PropertyPlaceholderHelper.PlaceholderResolver;
+import org.springframework.web.bind.ServletRequestUtils;
 import org.springframework.web.servlet.DispatcherServlet;
 import org.springframework.web.servlet.View;
 import org.springframework.web.servlet.view.BeanNameViewResolver;
+import org.springframework.web.util.HtmlUtils;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} to render errors via a MVC error
@@ -173,7 +175,7 @@ public String resolvePlaceholder(String name) {
 					Expression expression = SpelView.this.parser.parseExpression(name);
 					try {
 						Object value = expression.getValue(SpelView.this.context);
-						return (value == null ? null : value.toString());
+						return (value == null ? null : HtmlUtils.htmlEscape(value.toString()));
 					}
 					catch (Exception ex) {
 						return null;
diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/DefaultErrorViewIntegrationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/DefaultErrorViewIntegrationTests.java
@@ -16,6 +16,10 @@
 
 package org.springframework.boot.autoconfigure.web;
 
+import static org.junit.Assert.assertTrue;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
 import java.lang.annotation.Documented;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
@@ -41,10 +45,6 @@
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
 
-import static org.junit.Assert.assertTrue;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
 /**
  * @author Dave Syer
  */
@@ -74,6 +74,22 @@ public void testErrorForBrowserClient() throws Exception {
 		assertTrue("Wrong content: " + content, content.contains("999"));
 	}
 
+	@Test
+	public void testErrorWithEscape() throws Exception {
+		MvcResult response = this.mockMvc
+				.perform(
+						get("/error").requestAttr(
+								"javax.servlet.error.exception",
+								new RuntimeException(
+										"<script>alert('Hello World')</script>")).accept(
+								MediaType.TEXT_HTML)).andExpect(status().isOk())
+				.andReturn();
+		String content = response.getResponse().getContentAsString();
+		assertTrue("Wrong content: " + content, content.contains("&lt;script&gt;"));
+		assertTrue("Wrong content: " + content, content.contains("Hello World"));
+		assertTrue("Wrong content: " + content, content.contains("999"));
+	}
+
 	@Target(ElementType.TYPE)
 	@Retention(RetentionPolicy.RUNTIME)
 	@Documented
