You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Balachandran Sivakumar (JIRA)" <ji...@apache.org> on 2015/10/01 22:03:26 UTC
[jira] [Commented] (GROOVY-7615) MarkupTemplateBuilder autoEscape
only escapes top level model properties
[ https://issues.apache.org/jira/browse/GROOVY-7615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14940318#comment-14940318 ]
Balachandran Sivakumar commented on GROOVY-7615:
------------------------------------------------
Shall I add a bunch of test cases for the MarkupTemplateEngine class so that this gets caught easily ?
> MarkupTemplateBuilder autoEscape only escapes top level model properties
> ------------------------------------------------------------------------
>
> Key: GROOVY-7615
> URL: https://issues.apache.org/jira/browse/GROOVY-7615
> Project: Groovy
> Issue Type: Bug
> Components: Templating
> Affects Versions: 2.4.4
> Reporter: Rainer Schmitz
>
> {{TemplateConfiguration.setAutoEscape(true)}} only affects values in models top level. Nested values will not be escaped.
> Example:
> {code}import groovy.text.markup.MarkupTemplateEngine
> import groovy.text.markup.TemplateConfiguration
> def tplConf = new TemplateConfiguration()
> tplConf.autoEscape = true
> def engine = new MarkupTemplateEngine(tplConf)
> def template = engine.createTemplate ('''
> html {
> body {
> div(unsafeContents)
> div(nested.unsafe)
> }
> }
> ''')
> model = new HashMap<String,Object>();
> model.put("unsafeContents", "I am an <html> hacker.");
> model.put("nested", [unsafe: "I am an <html> hacker."]);
> Writable output = template.make(model)
> assert '<html><body><div>I am an <html> hacker.</div><div>I am an <html> hacker.</div></body></html>' == output.toString(){code}
> {{div(nested.unsafe)}} is not escaped.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)