Skip to content

Commit

Permalink
XCOMMONS-2498: XWikiUtils#escapeElementText should also escape {
Browse files Browse the repository at this point in the history
(cherry picked from commit a818817)
  • Loading branch information
tmortagne committed Aug 16, 2022
1 parent e1c24cb commit e6c897d
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,8 @@ public static String escapeAttributeValue(String content)
result.append(GT);
break;
case '{':
// Not needed from XML point of view but escaping xwiki/2.x macro syntax helps avoid countless
// security problems easily
result.append(LCURL);
break;
default:
Expand All @@ -447,6 +449,8 @@ public static String escapeAttributeValue(String content)
* For instance, {@code Jim & John} will be escaped and can thus be put inside an XML tag, such as the {@code p}
* tag, as in {@code <p>Jim &amp; John</p>}.
* Specifically, escapes &lt; to {@code &lt;}, and &amp; to {@code &amp;}.
* <p>
* Since 13.10.9, 14.4.4 and 14.7RC1 the character { is also escaped.
*
* @param content the text to escape, may be {@code null}.
* @return a new escaped {@code String}, {@code null} if {@code null} input
Expand All @@ -473,6 +477,11 @@ public static String escapeElementText(String content)
case '<':
result.append(LT);
break;
case '{':
// Not needed from XML point of view but escaping xwiki/2.x macro syntax helps avoid countless
// security problems easily
result.append(LCURL);
break;
default:
result.append(c);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,8 +106,8 @@ void escapeObjectContent()
@Test
void escapeElementText()
{
String actual = XMLUtils.escapeElementText("a < a' && a' < a\" => a < a\"");
assertEquals("a &#60; a' &#38;&#38; a' &#60; a\" => a &#60; a\"", actual);
String actual = XMLUtils.escapeElementText("a < a' && a' < a\" => a < a\" {");
assertEquals("a &#60; a' &#38;&#38; a' &#60; a\" => a &#60; a\" &#123;", actual);
}

@Test
Expand Down

0 comments on commit e6c897d

Please sign in to comment.