OPEN - issue SEC-966: Consider adding escapeXml attribute to security:authentication

http://jira.springframework.org/browse/SEC-966. Added escaping of rendered text as default.
2008-08-26 16:21:29 +00:00 · 2008-08-26 16:21:29 +00:00 · d781deffe7
parent a4e4120443
commit d781deffe7
2 changed files with 12 additions and 7 deletions
--- a/core/src/main/java/org/springframework/security/util/TextUtils.java
+++ b/core/src/main/java/org/springframework/security/util/TextUtils.java
@ -2,18 +2,22 @@ package org.springframework.security.util;
 /**
 * Utilities for working with Strings and text.
- * 
+ *
 * @author Luke Taylor
 * @version $Id$
 */
 public abstract class TextUtils {
    public static String escapeEntities(String s) {
        if (s == null || s.length() == 0) {
            return s;
        }
        StringBuffer sb = new StringBuffer();
-        
+
        for (int i=0; i < s.length(); i++) {
            char c = s.charAt(i);
-            
+
            if(c == '<') {
                sb.append("&lt;");
            } else if (c == '>') {
@ -26,8 +30,8 @@ public abstract class TextUtils {
                sb.append(c);
            }
        }
-        
+
        return sb.toString();
    }
-    
+
 }
--- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AuthenticationTag.java
@ -19,6 +19,7 @@ import org.springframework.security.Authentication;
 import org.springframework.security.context.SecurityContext;
 import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.security.util.TextUtils;
 import org.springframework.beans.BeanWrapperImpl;
 import org.springframework.beans.BeansException;
@ -94,7 +95,7 @@ public class AuthenticationTag extends TagSupport {
            if (auth.getPrincipal() == null) {
                return Tag.EVAL_PAGE;
            }
-            
+
            try {
                BeanWrapperImpl wrapper = new BeanWrapperImpl(auth);
                result = wrapper.getPropertyValue(property);
@ -120,7 +121,7 @@ public class AuthenticationTag extends TagSupport {
                }
            }
        } else {
-            writeMessage(String.valueOf(result));
+            writeMessage(TextUtils.escapeEntities(String.valueOf(result)));
        }
        return EVAL_PAGE;
    }