Permalink
Browse files

Sanitize input name

  • Loading branch information...
rstoyanchev committed Apr 6, 2018
1 parent d55a091 commit 6d68143e04ea1482b724c3f620688ec428089bc0
Showing with 3 additions and 2 deletions.
  1. +1 −1 README.adoc
  2. +2 −1 complete/src/main/java/hello/GreetingController.java
View
@@ -98,7 +98,7 @@ The payload of the message is bound to a `HelloMessage` object which is passed i
Internally, the implementation of the method simulates a processing delay by causing the thread to sleep for 1 second. This is to demonstrate that after the client sends a message, the server can take as long as it needs to process the message asynchronously. The client may continue with whatever work it needs to do without waiting on the response.
After the 1 second delay, the `greeting()` method creates a `Greeting` object and returns it. The return value is broadcast to all subscribers to "/topic/greetings" as specified in the {AtSendTo}[`@SendTo`] annotation.
After the 1 second delay, the `greeting()` method creates a `Greeting` object and returns it. The return value is broadcast to all subscribers to "/topic/greetings" as specified in the {AtSendTo}[`@SendTo`] annotation. Note that the name from the input message is sanitized since in this case it will be echoed back and re-rendered in the browser DOM on the client side.
== Configure Spring for STOMP messaging
@@ -3,6 +3,7 @@
import org.springframework.messaging.handler.annotation.MessageMapping;
import org.springframework.messaging.handler.annotation.SendTo;
import org.springframework.stereotype.Controller;
import org.springframework.web.util.HtmlUtils;
@Controller
public class GreetingController {
@@ -12,7 +13,7 @@
@SendTo("/topic/greetings")
public Greeting greeting(HelloMessage message) throws Exception {
Thread.sleep(1000); // simulated delay
return new Greeting("Hello, " + message.getName() + "!");
return new Greeting("Hello, " + HtmlUtils.htmlEscape(message.getName()) + "!");
}
}

0 comments on commit 6d68143

Please sign in to comment.