Skip to content

Commit

Permalink
Ensure fragment for menu items is not itself rendered
Browse files Browse the repository at this point in the history 
Formerly there was a "ghost" menu item with no text and no icon
because Thymeleaf had not been instructed to remove the fragment
definition. This change tidies that up and also removes the use of
the "path" variable, which Thymeleaf populates from the current
request context, and poses a potential security threat as a
result (if users type malicious characters in the URL).
  • Loading branch information
Dave Syer committed Jun 13, 2020
1 parent d173555 commit 07b9d5a
Showing 1 changed file with 74 additions and 64 deletions.
138 changes: 74 additions & 64 deletions src/main/resources/templates/fragments/layout.html
View file
@@ -1,88 +1,98 @@
<!doctype html>
<html th:fragment="layout (template, menu)">

<head>
<head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">

<link rel="shortcut icon" type="image/x-icon" th:href="@{/resources/images/favicon.png}">
<link rel="shortcut icon" type="image/x-icon" th:href="@{/resources/images/favicon.png}">

<title>PetClinic :: a Spring Framework demonstration</title>
<title>PetClinic :: a Spring Framework demonstration</title>

<!--[if lt IE 9]>
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->

<link rel="stylesheet" th:href="@{/resources/css/petclinic.css}"/>
<link rel="stylesheet" th:href="@{/resources/css/petclinic.css}" />

</head>
</head>

<body>

<nav class="navbar navbar-default" role="navigation">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" th:href="@{/}"><span></span></a>
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#main-navbar">
<span class="sr-only"><os-p>Toggle navigation</os-p></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
</div>
<div class="navbar-collapse collapse" id="main-navbar">
<ul class="nav navbar-nav navbar-right">

<li th:fragment="menuItem (path,active,title,glyph,text)" class="active" th:class="${active==menu ? 'active' : ''}">
<a th:href="@{__${path}__}" th:title="${title}">
<span th:class="'glyphicon glyphicon-'+${glyph}" class="glyphicon glyphicon-home" aria-hidden="true"></span>
<span th:text="${text}">Template</span>
</a>
</li>

<li th:replace="::menuItem ('/','home','home page','home','Home')">
<span class="glyphicon glyphicon-home" aria-hidden="true"></span>
<span>Home</span>
</li>

<li th:replace="::menuItem ('/owners/find','owners','find owners','search','Find owners')">
<span class="glyphicon glyphicon-search" aria-hidden="true"></span>
<span>Find owners</span>
</li>

<li th:replace="::menuItem ('/vets.html','vets','veterinarians','th-list','Veterinarians')">
<span class="glyphicon glyphicon-th-list" aria-hidden="true"></span>
<span>Veterinarians</span>
</li>

<li th:replace="::menuItem ('/oups','error','trigger a RuntimeException to see how it is handled','warning-sign','Error')">
<span class="glyphicon glyphicon-warning-sign" aria-hidden="true"></span>
<span>Error</span>
</li>

</ul>
</div>
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" th:href="@{/}"><span></span></a>
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#main-navbar">
<span class="sr-only">
<os-p>Toggle navigation</os-p>
</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
</div>
<div class="navbar-collapse collapse" id="main-navbar">

<ul class="nav navbar-nav navbar-right" th:remove="all">

<li th:fragment="menuItem (link,active,title,glyph,text)" class="active"
th:class="${active==menu ? 'active' : ''}">
<a th:href="@{__${link}__}" th:title="${title}">
<span th:class="'glyphicon glyphicon-'+${glyph}" class="glyphicon glyphicon-home"
aria-hidden="true"></span>
<span th:text="${text}">Template</span>
</a>
</li>

</ul>

<ul class="nav navbar-nav navbar-right">

<li th:replace="::menuItem ('/','home','home page','home','Home')">
<span class="glyphicon glyphicon-home" aria-hidden="true"></span>
<span>Home</span>
</li>

<li th:replace="::menuItem ('/owners/find','owners','find owners','search','Find owners')">
<span class="glyphicon glyphicon-search" aria-hidden="true"></span>
<span>Find owners</span>
</li>

<li th:replace="::menuItem ('/vets.html','vets','veterinarians','th-list','Veterinarians')">
<span class="glyphicon glyphicon-th-list" aria-hidden="true"></span>
<span>Veterinarians</span>
</li>

<li
th:replace="::menuItem ('/oups','error','trigger a RuntimeException to see how it is handled','warning-sign','Error')">
<span class="glyphicon glyphicon-warning-sign" aria-hidden="true"></span>
<span>Error</span>
</li>

</ul>
</div>
</div>
</nav>
<div class="container-fluid">
<div class="container xd-container">

<th:block th:include="${template}"/>

<br/>
<br/>
<div class="container">
<div class="row">
<div class="col-12 text-center">
<img src="../static/resources/images/spring-pivotal-logo.png" th:src="@{/resources/images/spring-pivotal-logo.png}"
alt="Sponsored by Pivotal"/></div>
</div>
<div class="container xd-container">

<th:block th:include="${template}" />

<br />
<br />
<div class="container">
<div class="row">
<div class="col-12 text-center">
<img src="../static/resources/images/spring-pivotal-logo.png"
th:src="@{/resources/images/spring-pivotal-logo.png}" alt="Sponsored by Pivotal" /></div>
</div>
</div>
</div>
</div>

<script th:src="@{/webjars/jquery/jquery.min.js}"></script>
Expand Down

0 comments on commit 07b9d5a

Please sign in to comment.