/* * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.springframework.web.servlet.tags; import java.io.IOException; import javax.servlet.jsp.JspException; import javax.servlet.jsp.tagext.BodyContent; import javax.servlet.jsp.tagext.BodyTag; import org.springframework.lang.Nullable; import org.springframework.util.Assert; import org.springframework.web.util.JavaScriptUtils; /** * The {@code <escapeBody>} tag is used to escape its enclosed body content, * applying HTML escaping and/or JavaScript escaping. * * <p>Provides a "htmlEscape" property for explicitly specifying whether to * apply HTML escaping. If not set, a page-level default (e.g. from the * HtmlEscapeTag) or an application-wide default (the "defaultHtmlEscape" * context-param in web.xml) is used. * * <p>Provides a "javaScriptEscape" property for specifying whether to apply * JavaScript escaping. Can be combined with HTML escaping or used standalone. * * <table> * <caption>Attribute Summary</caption> * <thead> * <tr> * <th>Attribute</th> * <th>Required?</th> * <th>Runtime Expression?</th> * <th>Description</th> * </tr> * </thead> * <tbody> * <tr> * <td>htmlEscape</td> * <td>false</td> * <td>true</td> * <td>Set HTML escaping for this tag, as boolean value. * Overrides the default HTML escaping setting for the current page.</td> * </tr> * <tr> * <td>javaScriptEscape</td> * <td>false</td> * <td>true</td> * <td>Set JavaScript escaping for this tag, as boolean value. * Default is false.</td> * </tr> * </tbody> * </table> * * @author Juergen Hoeller * @since 1.1.1 * @see org.springframework.web.util.HtmlUtils * @see org.springframework.web.util.JavaScriptUtils */ @SuppressWarnings("serial") public class EscapeBodyTag extends HtmlEscapingAwareTag implements BodyTag { private boolean javaScriptEscape = false; @Nullable private BodyContent bodyContent; /** * Set JavaScript escaping for this tag, as boolean value. * Default is "false". */ public void setJavaScriptEscape(boolean javaScriptEscape) throws JspException { this.javaScriptEscape = javaScriptEscape; } @Override protected int doStartTagInternal() { // do nothing return EVAL_BODY_BUFFERED; } @Override public void doInitBody() { // do nothing } @Override public void setBodyContent(BodyContent bodyContent) { this.bodyContent = bodyContent; } @Override public int doAfterBody() throws JspException { try { String content = readBodyContent(); // HTML and/or JavaScript escape, if demanded content = htmlEscape(content); content = (this.javaScriptEscape ? JavaScriptUtils.javaScriptEscape(content) : content); writeBodyContent(content); } catch (IOException ex) { throw new JspException("Could not write escaped body", ex); } return (SKIP_BODY); } /** * Read the unescaped body content from the page. * @return the original content * @throws IOException if reading failed */ protected String readBodyContent() throws IOException { Assert.state(this.bodyContent != null, "No BodyContent set"); return this.bodyContent.getString(); } /** * Write the escaped body content to the page. * <p>Can be overridden in subclasses, e.g. for testing purposes. * @param content the content to write * @throws IOException if writing failed */ protected void writeBodyContent(String content) throws IOException { Assert.state(this.bodyContent != null, "No BodyContent set"); this.bodyContent.getEnclosingWriter().print(content); } }