Permalink
Browse files

[#810] only message arguments are escaped

  • Loading branch information...
1 parent 032066e commit c8373bfda80187d7d90be1307f96e5d631f778f8 @tsuijten committed May 16, 2011
@@ -15,7 +15,6 @@
import play.templates.TagContext;
import play.utils.HTML;
import play.utils.SafeFormatter;
-import play.utils.SafeFormatterHandler;
/**
* I18n Helper
@@ -54,6 +53,20 @@
public static String get(Object key, Object... args) {
return getMessage(Lang.get(), key, args);
}
+
+ /**
+ * Given a message code, translate it using current locale.
+ * If there is no message in the current locale for the given key, the key
+ * is returned.
+ *
+ * @param key the message code
+ * @param safe escapes the message parameters to prevent code injection
+ * @param args optional message format arguments
+ * @return translated message
+ */
+ public static String get(Object key, boolean safe, Object... args) {
+ return getMessage(Lang.get(), key, safe, args);
+ }
/**
* Return several messages for a locale
@@ -88,7 +101,7 @@ public static Properties find(String locale, Set<String> keys) {
}
public static String getMessage(String locale, Object key, Object... args) {
- return getMessage(locale, key, true, args);
+ return getMessage(locale, key, false, args);
}
public static String getMessage(String locale, Object key, boolean safe, Object... args) {
@@ -116,7 +129,7 @@ public static String getMessage(String locale, Object key, boolean safe, Object.
return formatString(value, safe, args);
}
- private static SafeFormatter safeFormatter = new SafeFormatter(new SafeFormatterHandler() {
+ private static SafeFormatter safeFormatter = new SafeFormatter() {
@Override
public String appendArgument(String format, Object arg) {
String val = formatString(format, false, arg);
@@ -133,7 +146,7 @@ public String appendArgument(String format, Object arg) {
public String append(String value) {
return recurse(value);
}
- });
+ };
private static String recurse(String message) {
Matcher matcher = recursive.matcher(message);
@@ -412,7 +412,7 @@ public String __getMessage(Object[] val) {
if (val.length == 1) {
message = Messages.get(val[0]);
} else {
- message = Messages.get(val[0], Arrays.copyOfRange(val,1,val.length));
+ message = Messages.get(val[0], true, Arrays.copyOfRange(val,1,val.length));
}
return message;
}
@@ -43,11 +43,13 @@ public static TagContext parent() {
}
public static boolean hasParentTag(String name) {
- for(int i=currentStack.get().size()-1; i>=0; i--) {
- if(name.equals(currentStack.get().get(i).tagName)) {
- return true;
- }
- }
+ if(currentStack.get() != null) {
+ for(int i=currentStack.get().size()-1; i>=0; i--) {
+ if(name.equals(currentStack.get().get(i).tagName)) {
+ return true;
+ }
+ }
+ }
return false;
}
@@ -4,21 +4,11 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;
-public class SafeFormatter {
+public abstract class SafeFormatter {
// Pattern copied from java.util.Formatter
private static final Pattern formatSpecifier
= Pattern.compile("%(\\d+\\$)?([-#+ 0,(\\<]*)?(\\d+)?(\\.\\d+)?([tT])?([a-zA-Z%])");
- private SafeFormatterHandler safeFormatterHandler;
-
- public SafeFormatter(SafeFormatterHandler safeFormatterHandler) {
- if(safeFormatterHandler == null) {
- throw new NullPointerException();
- }
-
- this.safeFormatterHandler = safeFormatterHandler;
- }
-
public String format(String format, Object...args) {
Matcher matcher = formatSpecifier.matcher(format);
StringBuffer sb = new StringBuffer();
@@ -48,24 +38,27 @@ public String format(String format, Object...args) {
}
}
- sb.append(safeFormatterHandler.append(format.substring(lastAppend, matcher.start())));
+ sb.append(append(format.substring(lastAppend, matcher.start())));
if(matcher.group(6) != null && (matcher.group(6).equals("n") || matcher.group(6).equals("%"))) {
//Parameters that don't require an argument
- sb.append(safeFormatterHandler.appendArgument(newFormatPattern.toString(), null));
+ sb.append(appendArgument(newFormatPattern.toString(), null));
} else {
//Parameters that do require an argument
if (args != null && index > args.length)
throw new MissingFormatArgumentException(matcher.group());
- sb.append(safeFormatterHandler.appendArgument(newFormatPattern.toString(), args == null ? null : args[index - 1]));
+ sb.append(appendArgument(newFormatPattern.toString(), args == null ? null : args[index - 1]));
}
lastAppend = matcher.end();
}
- sb.append(safeFormatterHandler.append(format.substring(lastAppend, format.length())));
+ sb.append(append(format.substring(lastAppend, format.length())));
return sb.toString();
}
+
+ public abstract String appendArgument(String format, Object arg);
+ public abstract String append(String value);
}
@@ -1,6 +0,0 @@
-package play.utils;
-
-public interface SafeFormatterHandler {
- public String appendArgument(String format, Object arg);
- public String append(String value);
-}
@@ -15,7 +15,7 @@ private void checkFormat(SafeFormatter s, String format, Object...args) {
@Test
public void testSafeFormatter() {
- SafeFormatter s = new SafeFormatter(new SafeFormatterHandler() {
+ SafeFormatter s = new SafeFormatter() {
@Override
public String appendArgument(String format, Object arg) {
return HTML.htmlEscape(String.format(format, arg));
@@ -25,7 +25,7 @@ public String appendArgument(String format, Object arg) {
public String append(String value) {
return value;
}
- });
+ };
//Check if String.format and SafeFormatter.format return the same result when there is nothing to escape
checkFormat(s, "%n", new Object[]{null});

0 comments on commit c8373bf

Please sign in to comment.