Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid MessageFormat processing for default @Pattern validation message #22761

Closed
t-tera opened this issue Apr 8, 2019 · 1 comment

Comments

@t-tera
Copy link

commented Apr 8, 2019

Affects: 5.1.5 RELEASE

Example1

Let's say a form bean has the following annotation:

@Pattern(regexp = "[\\w.'-]{1,}@[\\w.'-]{1,}")
private String email;`

If an invalid email is given, validation fails and the following error message is presented by form:errors tag.

... must match "[\w.-]{1,}@[\w.-][Ljavax.validation.constraints.Pattern$Flag;@4f413b2c"

Single quotes disappear and the second {1,} occurrence is replaced with [Ljavax.validation.constraints.Pattern$Flag;@4f413b2c.

Example2:

private Integer age;

Supply age={0}aaa'bbb then you get the following error message:

Failed to convert property value of type java.lang.String to required type java.lang.Integer 
for property age; nested exception is java.lang.NumberFormatException: For input string: 
"org.springframework.context.support.DefaultMessageSourceResolvable: codes formData.age,age]; 
arguments []; default message [age]aaabbb"

Again, {0} is replaced and single quote disappears.

The cause is that the values (the regexp in example1 and the user input in example2) are passed to java.text.MessageFormat#applyPattern() with no proper escaping.

It looks like the bug (example1) is similar to #11988.

@jhoeller jhoeller self-assigned this Apr 8, 2019

@jhoeller jhoeller added this to the 5.1.7 milestone Apr 8, 2019

@jhoeller jhoeller changed the title Error massage is parsed as java.text.MessageFormat Escape @Pattern validation message for java.text.MessageFormat processing Apr 8, 2019

@jhoeller jhoeller changed the title Escape @Pattern validation message for java.text.MessageFormat processing Do not apply java.text.MessageFormat processing to default @Pattern validation message Apr 8, 2019

@jhoeller

This comment has been minimized.

Copy link
Contributor

commented Apr 8, 2019

Thanks for raising this! Our old fallback solution for MessageFormat mismatches isn't ideal there at all since it only catches invalid format syntax, not accidental matches with valid MessageFormat syntax.

As of 5.1.7, we generally don't apply MessageFormat rendering to Bean Validation default messages anymore, so any conflict with accidental placeholder or escaping syntax is avoided to begin with now.

@jhoeller jhoeller changed the title Do not apply java.text.MessageFormat processing to default @Pattern validation message Avoid MessageFormat processing for default @Pattern validation message Apr 8, 2019

@sdeleuze sdeleuze closed this in a1efe3c Apr 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.