HTML escape should align with character encoding

stonio · stonio · commit 177bb0105665 · 2024-06-13T17:20:31.000Z
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/AbstractFormTag.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/AbstractFormTag.java
@@ -92,7 +92,7 @@ protected final int doStartTagInternal() throws Exception {
 	 * as required. This version is <strong>not</strong> {@link PropertyEditor}-aware.
 	 */
 	protected String getDisplayString(@Nullable Object value) {
-		return ValueFormatter.getDisplayString(value, isHtmlEscape());
+		return ValueFormatter.getDisplayString(value, this::htmlEscape);
 	}
 
 	/**
@@ -102,7 +102,7 @@ protected String getDisplayString(@Nullable Object value) {
 	 * to obtain the display value.
 	 */
 	protected String getDisplayString(@Nullable Object value, @Nullable PropertyEditor propertyEditor) {
-		return ValueFormatter.getDisplayString(value, propertyEditor, isHtmlEscape());
+		return ValueFormatter.getDisplayString(value, propertyEditor, this::htmlEscape);
 	}
 
 	/**
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/ValueFormatter.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/ValueFormatter.java
@@ -17,6 +17,7 @@
 package org.springframework.web.servlet.tags.form;
 
 import java.beans.PropertyEditor;
+import java.util.function.UnaryOperator;
 
 import org.springframework.lang.Nullable;
 import org.springframework.util.ObjectUtils;
@@ -49,6 +50,16 @@ public static String getDisplayString(@Nullable Object value, boolean htmlEscape
 		return (htmlEscape ? HtmlUtils.htmlEscape(displayValue) : displayValue);
 	}
 
+	/**
+	 * Build the display value of the supplied {@code Object}, HTML escaped
+	 * as required. This version is <strong>not</strong> {@link PropertyEditor}-aware.
+	 * @see #getDisplayString(Object, java.beans.PropertyEditor, UnaryOperator)
+	 */
+	public static String getDisplayString(@Nullable Object value, UnaryOperator<String> htmlEscape) {
+		String displayValue = ObjectUtils.getDisplayString(value);
+		return htmlEscape.apply(displayValue);
+	}
+
 	/**
 	 * Build the display value of the supplied {@code Object}, HTML escaped
 	 * as required. If the supplied value is not a {@link String} and the supplied
@@ -74,4 +85,29 @@ public static String getDisplayString(
 		return getDisplayString(value, htmlEscape);
 	}
 
+	/**
+	 * Build the display value of the supplied {@code Object}, HTML escaped
+	 * as required. If the supplied value is not a {@link String} and the supplied
+	 * {@link PropertyEditor} is not null then the {@link PropertyEditor} is used
+	 * to obtain the display value.
+	 * @see #getDisplayString(Object, UnaryOperator)
+	 */
+	public static String getDisplayString(
+			@Nullable Object value, @Nullable PropertyEditor propertyEditor, UnaryOperator<String> htmlEscape) {
+
+		if (propertyEditor != null && !(value instanceof String)) {
+			try {
+				propertyEditor.setValue(value);
+				String text = propertyEditor.getAsText();
+				if (text != null) {
+					return getDisplayString(text, htmlEscape);
+				}
+			}
+			catch (Throwable ex) {
+				// The PropertyEditor might not support this value... pass through.
+			}
+		}
+		return getDisplayString(value, htmlEscape);
+	}
+
 }
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/tags/form/InputTagTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/tags/form/InputTagTests.java
@@ -96,8 +96,8 @@ void simpleBindTagWithinForm() throws Exception {
 
 	@Test
 	void simpleBindWithHtmlEscaping() throws Exception {
-		final String NAME = "Rob \"I Love Mangos\" Harrop";
-		final String HTML_ESCAPED_NAME = "Rob &quot;I Love Mangos&quot; Harrop";
+		final String NAME = "Rob \"I Love Café\" Harrop";
+		final String HTML_ESCAPED_NAME = "Rob &quot;I Love Caf&eacute;&quot; Harrop";
 
 		this.tag.setPath("name");
 		this.rob.setName(NAME);
@@ -112,6 +112,26 @@ void simpleBindWithHtmlEscaping() throws Exception {
 		assertValueAttribute(output, HTML_ESCAPED_NAME);
 	}
 
+	@Test
+	void simpleBindWithHtmlEscapingAndCharacterEncoding() throws Exception {
+		final String NAME = "Rob \"I Love Café\" Harrop";
+		final String HTML_ESCAPED_NAME = "Rob &quot;I Love Café&quot; Harrop";
+
+		this.getPageContext().getResponse().setCharacterEncoding("UTF-8");
+		this.tag.setPath("name");
+		this.rob.setName(NAME);
+
+		assertThat(this.tag.doStartTag()).isEqualTo(Tag.SKIP_BODY);
+
+		String output = getOutput();
+		assertTagOpened(output);
+		assertTagClosed(output);
+
+		assertContainsAttribute(output, "type", getType());
+		assertValueAttribute(output, HTML_ESCAPED_NAME);
+	}
+
+
 	protected void assertValueAttribute(String output, String expectedValue) {
 		assertContainsAttribute(output, "value", expectedValue);
 	}
