diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/error/AbstractErrorWebExceptionHandler.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/error/AbstractErrorWebExceptionHandler.java index 0044f6c3099..b33f2eb3210 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/error/AbstractErrorWebExceptionHandler.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/error/AbstractErrorWebExceptionHandler.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2017 the original author or authors. + * Copyright 2012-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -38,6 +38,7 @@ import org.springframework.web.reactive.function.server.ServerRequest; import org.springframework.web.reactive.function.server.ServerResponse; import org.springframework.web.reactive.result.view.ViewResolver; import org.springframework.web.server.ServerWebExchange; +import org.springframework.web.util.HtmlUtils; /** * Abstract base class for {@link ErrorWebExceptionHandler} implementations. @@ -191,9 +192,11 @@ public abstract class AbstractErrorWebExceptionHandler .append("

This application has no configured error view, so you are seeing this as a fallback.

") .append("
").append(timestamp.toString()) .append("
").append("
There was an unexpected error (type=") - .append(error.get("error")).append(", status=") - .append(error.get("status")).append(").
").append("
") - .append(error.get("message")).append("
").append(""); + .append(HtmlUtils.htmlEscape(error.get("error").toString())).append(", status=") + .append(HtmlUtils.htmlEscape(error.get("status").toString())) + .append(").").append("
") + .append(HtmlUtils.htmlEscape(error.get("message").toString())) + .append("
").append(""); return responseBody.syncBody(builder.toString()); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/reactive/error/DefaultErrorWebExceptionHandlerIntegrationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/reactive/error/DefaultErrorWebExceptionHandlerIntegrationTests.java index f34c7e5b8e8..66eb61aa491 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/reactive/error/DefaultErrorWebExceptionHandlerIntegrationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/reactive/error/DefaultErrorWebExceptionHandlerIntegrationTests.java @@ -220,6 +220,27 @@ public class DefaultErrorWebExceptionHandlerIntegrationTests { }); } + @Test + public void escapeHtmlInDefaultErrorView() throws Exception { + this.contextRunner + .withPropertyValues("spring.mustache.prefix=classpath:/unknown/") + .run((context) -> { + WebTestClient client = WebTestClient.bindToApplicationContext(context) + .build(); + String body = client.get().uri("/html").accept(MediaType.TEXT_HTML) + .exchange().expectStatus() + .isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR).expectHeader() + .contentType(MediaType.TEXT_HTML).expectBody(String.class) + .returnResult().getResponseBody(); + assertThat(body).contains("Whitelabel Error Page") + .doesNotContain("