Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
github
/
spring-security
kopia lustrzana https://github.com/spring-projects/spring-security
2
0
Forkuj 0
Pliki Problemy 0 Wiki
Przeglądaj źródła

OPEN - issue SEC-966: Consider adding escapeXml attribute to security:authentication
http://jira.springframework.org/browse/SEC-966. Added escaping of rendered text as default.

Luke Taylor 17 lat temu
rodzic
a4e4120443
commit
d781deffe7
2 zmienionych plików z 12 dodań i 7 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 9 5
      core/src/main/java/org/springframework/security/util/TextUtils.java
  2. 3 2
      taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java

+ 9 - 5
core/src/main/java/org/springframework/security/util/TextUtils.java
Wyświetl plik 

@@ -2,18 +2,22 @@ package org.springframework.security.util;
 
 
 /**
 
  * Utilities for working with Strings and text.
 
- * 
+ *
 
  * @author Luke Taylor
 
  * @version $Id$
 
  */
 
 public abstract class TextUtils {
 
 
     public static String escapeEntities(String s) {
 
+        if (s == null || s.length() == 0) {
 
+            return s;
 
+        }
 
+
 
         StringBuffer sb = new StringBuffer();
 
-        
+
 
         for (int i=0; i < s.length(); i++) {
 
             char c = s.charAt(i);
 
-            
+
 
             if(c == '<') {
 
                 sb.append("&lt;");
 
             } else if (c == '>') {
 
@@ -26,8 +30,8 @@ public abstract class TextUtils {
 
                 sb.append(c);
 
             }
 
         }
 
-        
+
 
         return sb.toString();
 
     }
 
-    
+
 
 }

+ 3 - 2
taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
Wyświetl plik 

@@ -19,6 +19,7 @@ import org.springframework.security.Authentication;
 
 
 import org.springframework.security.context.SecurityContext;
 
 import org.springframework.security.context.SecurityContextHolder;
 
+import org.springframework.security.util.TextUtils;
 
 
 import org.springframework.beans.BeanWrapperImpl;
 
 import org.springframework.beans.BeansException;
 
@@ -94,7 +95,7 @@ public class AuthenticationTag extends TagSupport {
 
             if (auth.getPrincipal() == null) {
 
                 return Tag.EVAL_PAGE;
 
             }
 
-            
+
 
             try {
 
                 BeanWrapperImpl wrapper = new BeanWrapperImpl(auth);
 
                 result = wrapper.getPropertyValue(property);
 
@@ -120,7 +121,7 @@ public class AuthenticationTag extends TagSupport {
 
                 }
 
             }
 
         } else {
 
-            writeMessage(String.valueOf(result));
 
+            writeMessage(TextUtils.escapeEntities(String.valueOf(result)));
 
         }
 
         return EVAL_PAGE;
 
     }