You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Jochen Eddelbuettel (Jira)" <ji...@apache.org> on 2020/09/16 08:26:00 UTC
[jira] [Commented] (GROOVY-7615) MarkupTemplateBuilder autoEscape
only escapes top level model properties
[ https://issues.apache.org/jira/browse/GROOVY-7615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17196779#comment-17196779 ]
Jochen Eddelbuettel commented on GROOVY-7615:
---------------------------------------------
My expectation would be that the MarkupTemplateEngine works fully aligned with groovy.xml.MarkupBuilder or at least can be configured that way. This is a real show stopper.
> MarkupTemplateBuilder autoEscape only escapes top level model properties
> ------------------------------------------------------------------------
>
> Key: GROOVY-7615
> URL: https://issues.apache.org/jira/browse/GROOVY-7615
> Project: Groovy
> Issue Type: Bug
> Components: Templating
> Affects Versions: 2.4.4
> Reporter: Rainer Schmitz
> Priority: Major
>
> {{TemplateConfiguration.setAutoEscape(true)}} only affects values in models top level. Nested values will not be escaped.
> Example:
> {code}import groovy.text.markup.MarkupTemplateEngine
> import groovy.text.markup.TemplateConfiguration
> def tplConf = new TemplateConfiguration()
> tplConf.autoEscape = true
> def engine = new MarkupTemplateEngine(tplConf)
> def template = engine.createTemplate ('''
> html {
> body {
> div(unsafeContents)
> div(nested.unsafe)
> }
> }
> ''')
> model = new HashMap<String,Object>();
> model.put("unsafeContents", "I am an <html> hacker.");
> model.put("nested", [unsafe: "I am an <html> hacker."]);
> Writable output = template.make(model)
> assert '<html><body><div>I am an <html> hacker.</div><div>I am an <html> hacker.</div></body></html>' == output.toString(){code}
> {{div(nested.unsafe)}} is not escaped.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)