From 2c504012ad1f8840d41e8dd736e9ddc024e87dd6 Mon Sep 17 00:00:00 2001 From: Juergen Hoeller Date: Wed, 27 Jul 2011 21:22:04 +0000 Subject: [PATCH] HtmlUtils properly escapes single quotes as well --- .../web/servlet/tags/HtmlEscapeTagTests.java | 12 ++++---- .../web/servlet/tags/MessageTagTests.java | 5 ++-- .../web/servlet/tags/form/FormTagTests.java | 4 +-- .../web/bind/EscapedErrorsTests.java | 23 ++++++++------- .../HtmlCharacterEntityReferencesTests.java | 29 ++++++++++++------- 5 files changed, 41 insertions(+), 32 deletions(-) diff --git a/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/HtmlEscapeTagTests.java b/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/HtmlEscapeTagTests.java index 41ee4ab8a6f..3695a7ea803 100644 --- a/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/HtmlEscapeTagTests.java +++ b/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/HtmlEscapeTagTests.java @@ -1,12 +1,12 @@ /* - * Copyright 2002-2005 the original author or authors. - * + * Copyright 2002-2011 the original author or authors. + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -18,8 +18,8 @@ package org.springframework.web.servlet.tags; import javax.servlet.jsp.JspException; import javax.servlet.jsp.PageContext; -import javax.servlet.jsp.tagext.Tag; import javax.servlet.jsp.tagext.BodyTag; +import javax.servlet.jsp.tagext.Tag; import org.springframework.mock.web.MockServletContext; import org.springframework.web.util.WebUtils; @@ -176,7 +176,7 @@ public class HtmlEscapeTagTests extends AbstractTagTests { tag.setJavaScriptEscape("true"); assertEquals(BodyTag.EVAL_BODY_BUFFERED, tag.doStartTag()); assertEquals(Tag.SKIP_BODY, tag.doAfterBody()); - assertEquals("Correct content", "\\' test & text \\\\", result.toString()); + assertEquals("Correct content", "' test & text \\\\", result.toString()); } } diff --git a/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/MessageTagTests.java b/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/MessageTagTests.java index d0842701024..2abcc95a850 100644 --- a/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/MessageTagTests.java +++ b/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/MessageTagTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2007 the original author or authors. + * Copyright 2002-2011 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,7 +19,6 @@ package org.springframework.web.servlet.tags; import java.util.Arrays; import java.util.List; import java.util.Locale; - import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.jsp.JspException; @@ -347,7 +346,7 @@ public class MessageTagTests extends AbstractTagTests { tag.setHtmlEscape("true"); tag.setJavaScriptEscape("true"); assertTrue("Correct doStartTag return value", tag.doStartTag() == Tag.EVAL_BODY_INCLUDE); - assertEquals("Correct message", "\\' test & text \\\\", message.toString()); + assertEquals("Correct message", "' test & text \\\\", message.toString()); } public void testMessageWithVarAndScope() throws JspException { diff --git a/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java b/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java index 9bf708967f8..2eec8db4183 100644 --- a/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java +++ b/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2008 the original author or authors. + * Copyright 2002-2011 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -174,7 +174,7 @@ public class FormTagTests extends AbstractHtmlElementTagTests { String xssQueryString = QUERY_STRING + "&stuff=\">"; request.setQueryString(xssQueryString); tag.doStartTag(); - assertEquals("
", + assertEquals("", getOutput()); } diff --git a/org.springframework.web/src/test/java/org/springframework/web/bind/EscapedErrorsTests.java b/org.springframework.web/src/test/java/org/springframework/web/bind/EscapedErrorsTests.java index a279ceab4b2..9f6a1df756f 100644 --- a/org.springframework.web/src/test/java/org/springframework/web/bind/EscapedErrorsTests.java +++ b/org.springframework.web/src/test/java/org/springframework/web/bind/EscapedErrorsTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2006 the original author or authors. + * Copyright 2002-2011 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,7 +16,7 @@ package org.springframework.web.bind; -import junit.framework.TestCase; +import org.junit.Test; import org.springframework.beans.TestBean; import org.springframework.validation.BindException; @@ -24,12 +24,15 @@ import org.springframework.validation.Errors; import org.springframework.validation.FieldError; import org.springframework.validation.ObjectError; +import static org.junit.Assert.*; + /** * @author Juergen Hoeller * @since 02.05.2003 */ -public class EscapedErrorsTests extends TestCase { +public class EscapedErrorsTests { + @Test public void testEscapedErrors() { TestBean tb = new TestBean(); tb.setName("empty &"); @@ -47,11 +50,11 @@ public class EscapedErrorsTests extends TestCase { assertTrue("Correct global errors flag", errors.hasGlobalErrors()); assertTrue("Correct number of global errors", errors.getGlobalErrorCount() == 1); ObjectError globalError = errors.getGlobalError(); - assertTrue("Global error message escaped", "message: " '".equals(globalError.getDefaultMessage())); + assertTrue("Global error message escaped", "message: " '".equals(globalError.getDefaultMessage())); assertTrue("Global error code not escaped", "GENERAL_ERROR \" '".equals(globalError.getCode())); - ObjectError globalErrorInList = (ObjectError) errors.getGlobalErrors().get(0); + ObjectError globalErrorInList = errors.getGlobalErrors().get(0); assertTrue("Same global error in list", globalError.getDefaultMessage().equals(globalErrorInList.getDefaultMessage())); - ObjectError globalErrorInAllList = (ObjectError) errors.getAllErrors().get(3); + ObjectError globalErrorInAllList = errors.getAllErrors().get(3); assertTrue("Same global error in list", globalError.getDefaultMessage().equals(globalErrorInAllList.getDefaultMessage())); assertTrue("Correct field errors flag", errors.hasFieldErrors()); @@ -60,7 +63,7 @@ public class EscapedErrorsTests extends TestCase { FieldError fieldError = errors.getFieldError(); assertTrue("Field error code not escaped", "NAME_EMPTY &".equals(fieldError.getCode())); assertTrue("Field value escaped", "empty &".equals(errors.getFieldValue("name"))); - FieldError fieldErrorInList = (FieldError) errors.getFieldErrors().get(0); + FieldError fieldErrorInList = errors.getFieldErrors().get(0); assertTrue("Same field error in list", fieldError.getDefaultMessage().equals(fieldErrorInList.getDefaultMessage())); assertTrue("Correct name errors flag", errors.hasFieldErrors("name")); @@ -70,7 +73,7 @@ public class EscapedErrorsTests extends TestCase { assertTrue("Name error message escaped", "message: &".equals(nameError.getDefaultMessage())); assertTrue("Name error code not escaped", "NAME_EMPTY &".equals(nameError.getCode())); assertTrue("Name value escaped", "empty &".equals(errors.getFieldValue("name"))); - FieldError nameErrorInList = (FieldError) errors.getFieldErrors("name").get(0); + FieldError nameErrorInList = errors.getFieldErrors("name").get(0); assertTrue("Same name error in list", nameError.getDefaultMessage().equals(nameErrorInList.getDefaultMessage())); assertTrue("Correct age errors flag", errors.hasFieldErrors("age")); @@ -80,9 +83,9 @@ public class EscapedErrorsTests extends TestCase { assertTrue("Age error message escaped", "message: <tag>".equals(ageError.getDefaultMessage())); assertTrue("Age error code not escaped", "AGE_NOT_SET ".equals(ageError.getCode())); assertTrue("Age value not escaped", (new Integer(0)).equals(errors.getFieldValue("age"))); - FieldError ageErrorInList = (FieldError) errors.getFieldErrors("age").get(0); + FieldError ageErrorInList = errors.getFieldErrors("age").get(0); assertTrue("Same name error in list", ageError.getDefaultMessage().equals(ageErrorInList.getDefaultMessage())); - FieldError ageError2 = (FieldError) errors.getFieldErrors("age").get(1); + FieldError ageError2 = errors.getFieldErrors("age").get(1); assertTrue("Age error 2 message escaped", "message: <tag>".equals(ageError2.getDefaultMessage())); assertTrue("Age error 2 code not escaped", "AGE_NOT_32 ".equals(ageError2.getCode())); } diff --git a/org.springframework.web/src/test/java/org/springframework/web/util/HtmlCharacterEntityReferencesTests.java b/org.springframework.web/src/test/java/org/springframework/web/util/HtmlCharacterEntityReferencesTests.java index 263bebb893c..97917b81469 100644 --- a/org.springframework.web/src/test/java/org/springframework/web/util/HtmlCharacterEntityReferencesTests.java +++ b/org.springframework.web/src/test/java/org/springframework/web/util/HtmlCharacterEntityReferencesTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2005 the original author or authors. + * Copyright 2002-2011 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,16 +24,19 @@ import java.io.StreamTokenizer; import java.util.HashMap; import java.util.Map; -import junit.framework.TestCase; +import org.junit.Test; + +import static org.junit.Assert.*; /** * @author Martin Kersten * @author Juergen Hoeller */ -public class HtmlCharacterEntityReferencesTests extends TestCase { +public class HtmlCharacterEntityReferencesTests { private static final String DTD_FILE = "HtmlCharacterEntityReferences.dtd"; + @Test public void testSupportsAllCharacterEntityReferencesDefinedByHtml() { HtmlCharacterEntityReferences entityReferences = new HtmlCharacterEntityReferences(); Map referenceCharactersMap = getReferenceCharacterMap(); @@ -49,8 +52,12 @@ public class HtmlCharacterEntityReferencesTests extends TestCase { entityReferences.isMappedToReference((char) character)); assertEquals("The reference of unicode character " + character + " should be entity " + referenceName, fullReference, entityReferences.convertToReference((char) character)); - assertEquals("The entity reference [" + referenceName + "] should be mapped to unicode character " + character, - (char) character, entityReferences.convertToCharacter(referenceName)); + assertEquals("The entity reference [" + referenceName + "] should be mapped to unicode character " + + character, (char) character, entityReferences.convertToCharacter(referenceName)); + } + else if (character == 39) { + assertTrue(entityReferences.isMappedToReference((char) character)); + assertEquals("'", entityReferences.convertToReference((char) character)); } else { assertFalse("The unicode character " + character + " should not be mapped to a reference", @@ -61,17 +68,17 @@ public class HtmlCharacterEntityReferencesTests extends TestCase { } assertEquals("The registered entity count of entityReferences should match the number of entity references", - referenceCharactersMap.size(), entityReferences.getSupportedReferenceCount()); - assertEquals("The HTML 4.0 Standard defines 252 entity references so do entityReferences", - 252, entityReferences.getSupportedReferenceCount()); + referenceCharactersMap.size() + 1, entityReferences.getSupportedReferenceCount()); + assertEquals("The HTML 4.0 Standard defines 252+1 entity references so do entityReferences", + 252 + 1, entityReferences.getSupportedReferenceCount()); - assertEquals("Invalid entity reference names should not be convertable", + assertEquals("Invalid entity reference names should not be convertible", (char) -1, entityReferences.convertToCharacter("invalid")); } private Map getReferenceCharacterMap() { CharacterEntityResourceIterator entityIterator = new CharacterEntityResourceIterator(); - Map referencedCharactersMap = new HashMap(); + Map referencedCharactersMap = new HashMap(); while (entityIterator.hasNext()) { int character = entityIterator.getReferredCharacter(); String entityName = entityIterator.nextEntry(); @@ -103,7 +110,7 @@ public class HtmlCharacterEntityReferencesTests extends TestCase { } public boolean hasNext() { - return (currentEntityName != null ? true : readNextEntity()); + return (currentEntityName != null || readNextEntity()); } public String nextEntry() {