SEC-1420: Add htmlEscape attribute to authentication JSP tag.
This allows HTML escaping to be disabled if required.
This commit is contained in:
Luke Taylor
+24
-1
@@ -23,6 +23,7 @@ import org.springframework.security.web.util.TextEscapeUtils;
|
||||
|
||||
import org.springframework.beans.BeanWrapperImpl;
|
||||
import org.springframework.beans.BeansException;
|
||||
import org.springframework.web.util.ExpressionEvaluationUtils;
|
||||
import org.springframework.web.util.TagUtils;
|
||||
|
||||
import java.io.IOException;
|
||||
@@ -48,6 +49,7 @@ public class AuthenticationTag extends TagSupport {
|
||||
private String property;
|
||||
private int scope;
|
||||
private boolean scopeSpecified;
|
||||
private boolean htmlEscape = true;
|
||||
|
||||
|
||||
//~ Methods ========================================================================================================
|
||||
@@ -120,7 +122,11 @@ public class AuthenticationTag extends TagSupport {
|
||||
}
|
||||
}
|
||||
} else {
|
||||
writeMessage(TextEscapeUtils.escapeEntities(String.valueOf(result)));
|
||||
if (htmlEscape) {
|
||||
writeMessage(TextEscapeUtils.escapeEntities(String.valueOf(result)));
|
||||
} else {
|
||||
writeMessage(String.valueOf(result));
|
||||
}
|
||||
}
|
||||
return EVAL_PAGE;
|
||||
}
|
||||
@@ -132,4 +138,21 @@ public class AuthenticationTag extends TagSupport {
|
||||
throw new JspException(ioe);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Set HTML escaping for this tag, as boolean value.
|
||||
*/
|
||||
public void setHtmlEscape(String htmlEscape) throws JspException {
|
||||
this.htmlEscape = ExpressionEvaluationUtils.evaluateBoolean("htmlEscape", htmlEscape, pageContext);
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the HTML escaping setting for this tag,
|
||||
* or the default setting if not overridden.
|
||||
* @see #isDefaultHtmlEscape()
|
||||
*/
|
||||
protected boolean isHtmlEscape() {
|
||||
return htmlEscape;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -110,6 +110,12 @@
|
||||
evaluated property of the Authentication object.
|
||||
</description>
|
||||
</attribute>
|
||||
<attribute>
|
||||
<description>Set HTML escaping for this tag, as a boolean value.</description>
|
||||
<name>htmlEscape</name>
|
||||
<required>false</required>
|
||||
<rtexprvalue>true</rtexprvalue>
|
||||
</attribute>
|
||||
<attribute>
|
||||
<name>scope</name>
|
||||
<required>false</required>
|
||||
|
||||
+33
-4
@@ -15,11 +15,13 @@
|
||||
|
||||
package org.springframework.security.taglibs.authz;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
import javax.servlet.jsp.JspException;
|
||||
import javax.servlet.jsp.tagext.Tag;
|
||||
|
||||
import junit.framework.TestCase;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Test;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.authority.AuthorityUtils;
|
||||
@@ -32,7 +34,7 @@ import org.springframework.security.core.userdetails.User;
|
||||
*
|
||||
* @author Ben Alex
|
||||
*/
|
||||
public class AuthenticationTagTests extends TestCase {
|
||||
public class AuthenticationTagTests {
|
||||
//~ Instance fields ================================================================================================
|
||||
|
||||
private final MyAuthenticationTag authenticationTag = new MyAuthenticationTag();
|
||||
@@ -41,10 +43,12 @@ public class AuthenticationTagTests extends TestCase {
|
||||
|
||||
//~ Methods ========================================================================================================
|
||||
|
||||
protected void tearDown() throws Exception {
|
||||
@After
|
||||
public void tearDown() {
|
||||
SecurityContextHolder.clearContext();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testOperationWhenPrincipalIsAUserDetailsInstance()throws JspException {
|
||||
SecurityContextHolder.getContext().setAuthentication(auth);
|
||||
|
||||
@@ -54,6 +58,7 @@ public class AuthenticationTagTests extends TestCase {
|
||||
assertEquals("rodUserDetails", authenticationTag.getLastMessage());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testOperationWhenPrincipalIsAString() throws JspException {
|
||||
SecurityContextHolder.getContext().setAuthentication(
|
||||
new TestingAuthenticationToken("rodAsString", "koala", AuthorityUtils.NO_AUTHORITIES ));
|
||||
@@ -64,6 +69,7 @@ public class AuthenticationTagTests extends TestCase {
|
||||
assertEquals("rodAsString", authenticationTag.getLastMessage());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testNestedPropertyIsReadCorrectly() throws JspException {
|
||||
SecurityContextHolder.getContext().setAuthentication(auth);
|
||||
|
||||
@@ -73,6 +79,7 @@ public class AuthenticationTagTests extends TestCase {
|
||||
assertEquals("rodUserDetails", authenticationTag.getLastMessage());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testOperationWhenPrincipalIsNull() throws JspException {
|
||||
SecurityContextHolder.getContext().setAuthentication(
|
||||
new TestingAuthenticationToken(null, "koala", AuthorityUtils.NO_AUTHORITIES ));
|
||||
@@ -82,6 +89,7 @@ public class AuthenticationTagTests extends TestCase {
|
||||
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testOperationWhenSecurityContextIsNull() throws Exception {
|
||||
SecurityContextHolder.getContext().setAuthentication(null);
|
||||
|
||||
@@ -91,12 +99,14 @@ public class AuthenticationTagTests extends TestCase {
|
||||
assertEquals(null, authenticationTag.getLastMessage());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSkipsBodyIfNullOrEmptyOperation() throws Exception {
|
||||
authenticationTag.setProperty("");
|
||||
assertEquals(Tag.SKIP_BODY, authenticationTag.doStartTag());
|
||||
assertEquals(Tag.EVAL_PAGE, authenticationTag.doEndTag());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testThrowsExceptionForUnrecognisedProperty() {
|
||||
SecurityContextHolder.getContext().setAuthentication(auth);
|
||||
authenticationTag.setProperty("qsq");
|
||||
@@ -109,6 +119,25 @@ public class AuthenticationTagTests extends TestCase {
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void htmlEscapingIsUsedByDefault() throws Exception {
|
||||
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("<>& ", ""));
|
||||
authenticationTag.setProperty("name");
|
||||
authenticationTag.doStartTag();
|
||||
authenticationTag.doEndTag();
|
||||
assertEquals("<>& ", authenticationTag.getLastMessage());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void settingHtmlEscapeToFalsePreventsEscaping() throws Exception {
|
||||
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("<>& ", ""));
|
||||
authenticationTag.setProperty("name");
|
||||
authenticationTag.setHtmlEscape("false");
|
||||
authenticationTag.doStartTag();
|
||||
authenticationTag.doEndTag();
|
||||
assertEquals("<>& ", authenticationTag.getLastMessage());
|
||||
}
|
||||
|
||||
//~ Inner Classes ==================================================================================================
|
||||
|
||||
private class MyAuthenticationTag extends AuthenticationTag {
|
||||
|
||||
Reference in New Issue
Block a user