[GEOS-11154] Improve handling special characters in the MapML HTML Page

src/extension/mapml/src/main/java/org/geoserver/mapml/MapMLController.java

@@ -5,6 +5,7 @@
 
 package org.geoserver.mapml;
 
+import static org.apache.commons.text.StringEscapeUtils.escapeHtml4;
 import static org.geoserver.mapml.MapMLConstants.MAPML_MIME_TYPE;
 
 import java.io.IOException;
@@ -186,13 +187,12 @@ public String Html(
                         "/mapml/viewer/widget/mapml-viewer.js",
                         null,
                         URLMangler.URLType.RESOURCE);
-        String title = layerLabel;
         StringBuilder sb = new StringBuilder();
         sb.append("<!DOCTYPE html>\n")
                 .append("<html>\n")
                 .append("<head>\n")
                 .append("<title>")
-                .append(title)
+                .append(escapeHtml4(layerLabel))
                 .append("</title>\n")
                 .append("<meta charset='utf-8'>\n")
                 .append("<script type=\"module\"  src=\"")
@@ -225,17 +225,17 @@ public String Html(
                 .append(longitude)
                 .append("\" controls controlslist=\"geolocation\">\n")
                 .append("<layer- label=\"")
-                .append(layerLabel)
+                .append(escapeHtml4(layerLabel))
                 .append("\" ")
                 .append("src=\"")
                 .append(request.getContextPath())
                 .append(request.getServletPath())
                 .append("/")
-                .append(layer)
+                .append(escapeHtml4(layer))
                 .append("/")
                 .append(proj)
                 .append("/")
-                .append(!styleName.isEmpty() ? "?style=" + styleName : "")
+                .append(!styleName.isEmpty() ? "?style=" + escapeHtml4(styleName) : "")
                 .append("\" checked></layer->\n")
                 .append("</mapml-viewer>\n")
                 .append("</body>\n")

src/extension/mapml/src/test/java/org/geoserver/mapml/MapMLControllerTest.java

@@ -6,6 +6,9 @@
 
 import static org.custommonkey.xmlunit.XMLAssert.assertXpathEvaluatesTo;
 import static org.geowebcache.grid.GridSubsetFactory.createGridSubSet;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
@@ -243,6 +246,34 @@ public void testHTML() throws Exception {
                 "layerGroup".equalsIgnoreCase(d.title()));
     }
 
+    @Test
+    public void testEscaping() throws Exception {
+        String unescapedTitle = "title\"><";
+        String escapedTitle = "title&quot;&gt;&lt;";
+        Catalog catalog = getCatalog();
+        LayerGroupInfo lg = catalog.getLayerGroupByName("layerGroup");
+        MockHttpServletRequest request = createRequest("mapml/" + lg.getName() + "/osmtile");
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        try {
+            lg.setTitle(unescapedTitle);
+            catalog.save(lg);
+            String htmlResponse =
+                    mc.Html(
+                            request,
+                            response,
+                            lg.getName(),
+                            "osmtile",
+                            Optional.empty(),
+                            Optional.empty(),
+                            Optional.empty());
+            assertThat(htmlResponse, not(containsString(unescapedTitle)));
+            assertThat(htmlResponse, containsString(escapedTitle));
+        } finally {
+            lg.setTitle(null);
+            catalog.save(lg);
+        }
+    }
+
     @Test
     public void testNonExistentLayer() throws Exception {
         MockHttpServletRequest request = createRequest("mapml/" + "foo" + "/osmtile");