Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape EL expressions in ViolationCollector #3157

Merged
merged 6 commits into from Feb 20, 2020
Merged

Escape EL expressions in ViolationCollector #3157

merged 6 commits into from Feb 20, 2020

Conversation

joschi
Copy link
Member

@joschi joschi commented Feb 19, 2020

Fixes #3153

@joschi joschi added this to the 2.0.2 milestone Feb 19, 2020
@joschi joschi requested a review from a team February 19, 2020 23:48
@joschi joschi self-assigned this Feb 19, 2020
Copy link
Member

@evnm evnm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for jumping on this.

String messageTemplate = escapeEl(message);
context.buildConstraintViolationWithTemplate(messageTemplate)
.addPropertyNode(propertyName)
.addBeanNode().inIterable().atKey(key)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for digging into the javax.validation API to find these nuggets

@joschi joschi merged commit d87d1e4 into master Feb 20, 2020
@joschi joschi deleted the issue-3153 branch February 20, 2020 01:36
joschi added a commit that referenced this pull request Feb 20, 2020
Fixes #3153
Refs #3157
(cherry picked from commit d87d1e4)
joschi added a commit that referenced this pull request Feb 20, 2020
joschi added a commit that referenced this pull request Mar 26, 2020
Disable message interpolation in ConstraintViolations by default but allow enabling it explicitly with `SelfValidating#escapeExpressions()`.

Additionally, `ConstraintViolations` now provides a set of methods which take a map of message parameters for interpolation.
The message parameters will be escaped by default.

Refs #3153
Refs #3157
joschi added a commit that referenced this pull request Mar 26, 2020
Disable message interpolation in ConstraintViolations by default but allow enabling it explicitly with `SelfValidating#escapeExpressions()`.

Additionally, `ConstraintViolations` now provides a set of methods which take a map of message parameters for interpolation.
The message parameters will be escaped by default.

Refs #3153
Refs #3157
joschi added a commit that referenced this pull request Mar 26, 2020
Disable message interpolation in ConstraintViolations by default but allow enabling it explicitly with `SelfValidating#escapeExpressions()`.

Additionally, `ConstraintViolations` now provides a set of methods which take a map of message parameters for interpolation.
The message parameters will be escaped by default.

Refs #3153
Refs #3157
joschi added a commit that referenced this pull request Mar 26, 2020
Disable message interpolation in ConstraintViolations by default but allow enabling it explicitly with `SelfValidating#escapeExpressions()`.

Additionally, `ConstraintViolations` now provides a set of methods which take a map of message parameters for interpolation.
The message parameters will be escaped by default.

Refs #3153
Refs #3157
Refs #3208
joschi added a commit that referenced this pull request Mar 26, 2020
Disable message interpolation in ConstraintViolations by default but allow enabling it explicitly with `SelfValidating#escapeExpressions()`.

Additionally, `ConstraintViolations` now provides a set of methods which take a map of message parameters for interpolation.
The message parameters will be escaped by default.

Refs #3153
Refs #3157
Refs #3208
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Security issue
4 participants