In LocalizationBundle#getStringWithParams, the key can refer a pattern in which the expected parameter(s) can be other than a String. Takes into account by applying the encoding for HTML only on String parameters.

Author: mmoqui

kernel-library/src/main/java/org/silverpeas/kernel/bundle/LocalizationBundle.java

@@ -217,9 +217,11 @@ public String getStringWithParams(String resName, Object... params) {
     String msgPattern = getString(resName);
     // we encode the parameters as they can be provided by a user and they can have XSS statements
     return MessageFormat.format(msgPattern, Arrays.stream(params)
-        .map(Object::toString)
-        .map(Encode::forHtml)
-        .toArray());
+            .map(p -> Optional.of(p)
+                .filter(String.class::isInstance)
+                .map(o -> (Object) Encode.forHtml((String) o))
+                .orElse(p)
+            ).toArray());
   }
 
   @Override

kernel-library/src/test/java/org/silverpeas/kernel/bundle/LocalizationBundleTest.java

@@ -93,6 +93,29 @@ void getParametrizedText() {
     assertThat(value2, is("'Bidule' est plus petit que 'Toto'"));
   }
 
+  @Test
+  void getParametrizedTextWithXSS() {
+    LocalizationBundle bundle = ResourceLocator.getLocalizationBundle(LOCALIZATION_BUNDLE, Locale.FRENCH);
+    String value = bundle.getStringWithParams("cle.param.2", "Bidule",
+        "<img src=x onerror=prompt(document.cookie)/>");
+    assertThat(value, is("\"Bidule\" est plus petit que \"&lt;img src=x onerror=prompt(document" +
+        ".cookie)/&gt;\""));
+  }
+
+  @Test
+  void getParametrizedTextWithNumber() {
+    LocalizationBundle bundle = ResourceLocator.getLocalizationBundle(LOCALIZATION_BUNDLE,
+        Locale.ENGLISH);
+    String value1 = bundle.getStringWithParams("cle.param.1", 0);
+    assertThat(value1, is("just"));
+
+    String value2= bundle.getStringWithParams("cle.param.1", 1);
+    assertThat(value2, is("1 hour"));
+
+    String value3= bundle.getStringWithParams("cle.param.1", 3);
+    assertThat(value3, is("3 hours"));
+  }
+
   @Test
   void getMissingPropertyShouldThrowMissingResourceException() {
     LocalizationBundle bundle = ResourceLocator.getLocalizationBundle(LOCALIZATION_BUNDLE);

kernel-library/src/test/resources/org/silverpeas/test/multilang/l10n_en.properties

@@ -27,5 +27,7 @@ language_de = German
 
 icon = ${sys.FOO}/en/logo-language.png
 
+cle.param.1 = {0,choice, 0#just| 1#{0} hour| 1<{0} hours}
+
 cle.param.2 = "{0}" is smaller than "{1}"
 cle.param.2bis = ''{0}'' is smaller than ''{1}''

kernel-library/src/test/resources/org/silverpeas/test/multilang/l10n_fr.properties

@@ -27,5 +27,7 @@ language_de = Allemand
 
 icon = ${sys.FOO}/fr/logo-language.png
 
+cle.param.1 = {0,choice, 0#juste| 1#{0} heure| 1<{0} heures}
+
 cle.param.2 = "{0}" est plus petit que "{1}"
 cle.param.2bis = ''{0}'' est plus petit que ''{1}''