spring.ftl does not support turning off escaping for some macros on Spring 5 [SPR-16951]

[spring-projects-issues]

Kaj Hejer opened SPR-16951 and commented

After updating to Spring 5 all output from Spring freemarker macros are escaped. In <@spring.message> the message is escaped and in <@spring.formRadioButtons> the separator attribute is escaped f.x. "<br/>".

This has been discussed at https://stackoverflow.com/questions/50871832/spring-5-and-escaping-in-springs-freemarker-macros

Config:

@Bean
public FreeMarkerConfigurer freeMarkerConfigurer() {
    FreeMarkerConfigurer config = new FreeMarkerConfigurer();
    config.setTemplateLoaderPath("/WEB-INF/templates/ftl/");    
    Properties props = new Properties();
    props.put("template_update_delay", getFreemarkerUpdateDelay());
    props.put("template_exception_handler", getFreemarkerExceptionHandler());
    props.put("url_escaping_charset", WebConstants.CHAR_SET_UTF_8);
    config.setFreemarkerSettings(props);
    config.setDefaultEncoding(WebConstants.CHAR_SET_UTF_8);
    return config;
}

We use Freemarker 2.3.28 and Spring 5.0.7.RELEASE

---

Affects: 5.0.7

Issue Links:

• spring.ftl doesn't work on freemarker 2.3.24+'s auto escaping feature [SPR-14740] #19306 spring.ftl doesn't work on freemarker 2.3.24+'s auto escaping feature

Referenced from: commits 08e1c8c, 75f26ee

[spring-projects-issues]

Kaj Hejer commented

Please see the comments on https://stackoverflow.com/questions/50871832/spring-5-and-escaping-in-springs-freemarker-macros for a suggestion on how to solve this issue.

[spring-projects-issues]

Juergen Hoeller commented

I've added corresponding ?no_esc declarations to the separators and to message rendering, both of which have indeed been an oversight. This is in master for 5.1.0.BUILD-SNAPSHOT now; I'll backport it to 5.0.8 ASAP.

[spring-projects-issues]

Juergen Hoeller commented

Please give this a try against a recent snapshot: either 5.1.0.BUILD-SNAPSHOT or 5.0.8.BUILD-SNAPSHOT, available via Maven from https://repo.spring.io/snapshot... and let me know whether the default escaping behavior is now reasonably compatible with Spring 4.x again.

[spring-projects-issues]

Kaj Hejer commented

Thank you for fixing this issue! I have tested against 5.0.8.BUILD-SNAPSHOT and it seems to work fine! :)

[spring-projects-issues]

Juergen Hoeller commented

That's great to hear! Thanks for the immediate feedback.

[spring-projects-issues]

Sander van Schouwenburg commented

I see how this issue repairs compatibility with Spring 4. However, for those of us who expected some upgrade issues upgrading to Spring 5, observed this behavior change, and changed their code accordingly, this change in a minor release (5.0.7 -> 5.0.8) can introduce a MAJOR XSS vulnerability. Because we were now relying on freemarker properly escaping all messages, which it doesn't do anymore.

In fact, the only way to get proper escaping now, is to set <context-param><param-name>defaultHtmlEscape</param-name></context-param> in web.xml, but I can't find an equivalent in a MockMvc/HtmlUnit test setting.