OPEN - issue SEC-966: Consider adding escapeXml attribute to security:authentication

http://jira.springframework.org/browse/SEC-966.  Added escaping of rendered text as default.

core/src/main/java/org/springframework/security/util/TextUtils.java

@@ -9,6 +9,10 @@ package org.springframework.security.util;
 public abstract class TextUtils {
 
     public static String escapeEntities(String s) {
+        if (s == null || s.length() == 0) {
+            return s;
+        }
+
         StringBuffer sb = new StringBuffer();
 
         for (int i=0; i < s.length(); i++) {

taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java

@@ -19,6 +19,7 @@ import org.springframework.security.Authentication;
 
 import org.springframework.security.context.SecurityContext;
 import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.util.TextUtils;
 
 import org.springframework.beans.BeanWrapperImpl;
 import org.springframework.beans.BeansException;
@@ -120,7 +121,7 @@ public class AuthenticationTag extends TagSupport {
                 }
             }
         } else {
-            writeMessage(String.valueOf(result));
+            writeMessage(TextUtils.escapeEntities(String.valueOf(result)));
         }
         return EVAL_PAGE;
     }