Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

spring.ftl does not support turning off escaping for some macros on Spring 5 [SPR-16951] #21489

Closed
spring-projects-issues opened this issue Jun 18, 2018 · 6 comments
Assignees
Labels
in: web type: regression
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Jun 18, 2018

Kaj Hejer opened SPR-16951 and commented

After updating to Spring 5 all output from Spring freemarker macros are escaped. In <@spring.message> the message is escaped and in <@spring.formRadioButtons> the separator attribute is escaped f.x. "<br/>".

This has been discussed at https://stackoverflow.com/questions/50871832/spring-5-and-escaping-in-springs-freemarker-macros

Config:

@Bean
public FreeMarkerConfigurer freeMarkerConfigurer() {
    FreeMarkerConfigurer config = new FreeMarkerConfigurer();
    config.setTemplateLoaderPath("/WEB-INF/templates/ftl/");    
    Properties props = new Properties();
    props.put("template_update_delay", getFreemarkerUpdateDelay());
    props.put("template_exception_handler", getFreemarkerExceptionHandler());
    props.put("url_escaping_charset", WebConstants.CHAR_SET_UTF_8);
    config.setFreemarkerSettings(props);
    config.setDefaultEncoding(WebConstants.CHAR_SET_UTF_8);
    return config;
}

We use Freemarker 2.3.28 and Spring 5.0.7.RELEASE


Affects: 5.0.7

Issue Links:

  • #19306 spring.ftl doesn't work on freemarker 2.3.24+'s auto escaping feature

Referenced from: commits 08e1c8c, 75f26ee

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jun 22, 2018

Kaj Hejer commented

Please see the comments on https://stackoverflow.com/questions/50871832/spring-5-and-escaping-in-springs-freemarker-macros for a suggestion on how to solve this issue.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jun 28, 2018

Juergen Hoeller commented

I've added corresponding ?no_esc declarations to the separators and to message rendering, both of which have indeed been an oversight. This is in master for 5.1.0.BUILD-SNAPSHOT now; I'll backport it to 5.0.8 ASAP.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jul 2, 2018

Juergen Hoeller commented

Please give this a try against a recent snapshot: either 5.1.0.BUILD-SNAPSHOT or 5.0.8.BUILD-SNAPSHOT, available via Maven from https://repo.spring.io/snapshot... and let me know whether the default escaping behavior is now reasonably compatible with Spring 4.x again.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jul 2, 2018

Kaj Hejer commented

Thank you for fixing this issue! I have tested against 5.0.8.BUILD-SNAPSHOT and it seems to work fine! :)

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jul 2, 2018

Juergen Hoeller commented

That's great to hear! Thanks for the immediate feedback.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Aug 24, 2018

Sander van Schouwenburg commented

I see how this issue repairs compatibility with Spring 4. However, for those of us who expected some upgrade issues upgrading to Spring 5, observed this behavior change, and changed their code accordingly, this change in a minor release (5.0.7 -> 5.0.8) can introduce a MAJOR XSS vulnerability. Because we were now relying on freemarker properly escaping all messages, which it doesn't do anymore.

In fact, the only way to get proper escaping now, is to set <context-param><param-name>defaultHtmlEscape</param-name></context-param> in web.xml, but I can't find an equivalent in a MockMvc/HtmlUnit test setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web type: regression
Projects
None yet
Development

No branches or pull requests

2 participants