diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration.java index 52ba5afd8f8..46266135eb4 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorMvcAutoConfiguration.java @@ -52,9 +52,11 @@ import org.springframework.expression.spel.standard.SpelExpressionParser; import org.springframework.expression.spel.support.StandardEvaluationContext; import org.springframework.util.PropertyPlaceholderHelper; import org.springframework.util.PropertyPlaceholderHelper.PlaceholderResolver; +import org.springframework.web.bind.ServletRequestUtils; import org.springframework.web.servlet.DispatcherServlet; import org.springframework.web.servlet.View; import org.springframework.web.servlet.view.BeanNameViewResolver; +import org.springframework.web.util.HtmlUtils; /** * {@link EnableAutoConfiguration Auto-configuration} to render errors via a MVC error @@ -173,7 +175,7 @@ public class ErrorMvcAutoConfiguration implements EmbeddedServletContainerCustom Expression expression = SpelView.this.parser.parseExpression(name); try { Object value = expression.getValue(SpelView.this.context); - return (value == null ? null : value.toString()); + return (value == null ? null : HtmlUtils.htmlEscape(value.toString())); } catch (Exception ex) { return null; diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/DefaultErrorViewIntegrationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/DefaultErrorViewIntegrationTests.java index 59641b57237..2a654c7e91e 100644 --- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/DefaultErrorViewIntegrationTests.java +++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/DefaultErrorViewIntegrationTests.java @@ -16,6 +16,10 @@ package org.springframework.boot.autoconfigure.web; +import static org.junit.Assert.assertTrue; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + import java.lang.annotation.Documented; import java.lang.annotation.ElementType; import java.lang.annotation.Retention; @@ -41,10 +45,6 @@ import org.springframework.test.web.servlet.MvcResult; import org.springframework.test.web.servlet.setup.MockMvcBuilders; import org.springframework.web.context.WebApplicationContext; -import static org.junit.Assert.assertTrue; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; - /** * @author Dave Syer */ @@ -74,6 +74,22 @@ public class DefaultErrorViewIntegrationTests { assertTrue("Wrong content: " + content, content.contains("999")); } + @Test + public void testErrorWithEscape() throws Exception { + MvcResult response = this.mockMvc + .perform( + get("/error").requestAttr( + "javax.servlet.error.exception", + new RuntimeException( + "")).accept( + MediaType.TEXT_HTML)).andExpect(status().isOk()) + .andReturn(); + String content = response.getResponse().getContentAsString(); + assertTrue("Wrong content: " + content, content.contains("<script>")); + assertTrue("Wrong content: " + content, content.contains("Hello World")); + assertTrue("Wrong content: " + content, content.contains("999")); + } + @Target(ElementType.TYPE) @Retention(RetentionPolicy.RUNTIME) @Documented