[GROOVY-7615] MarkupTemplateBuilder autoEscape only escapes top level model properties - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.4.4
Fix Version/s: None
Component/s: Templating
Labels:
None

Description

TemplateConfiguration.setAutoEscape(true) only affects values in models top level. Nested values will not be escaped.

Example:

import groovy.text.markup.MarkupTemplateEngine
import groovy.text.markup.TemplateConfiguration

def tplConf = new TemplateConfiguration()
tplConf.autoEscape = true
def engine = new MarkupTemplateEngine(tplConf)

def template = engine.createTemplate ('''
html {
    body {
        div(unsafeContents)
        div(nested.unsafe)
    }
}
''')

model = new HashMap<String,Object>();
model.put("unsafeContents", "I am an <html> hacker.");
model.put("nested", [unsafe: "I am an <html> hacker."]);

Writable output = template.make(model)
assert '<html><body><div>I am an &lt;html&gt; hacker.</div><div>I am an <html> hacker.</div></body></html>' == output.toString()

div(nested.unsafe) is not escaped.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Rainer Schmitz

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 01/Oct/15 10:26

Updated:: 16/Sep/20 08:25