001/* 002 * Copyright 2002-2017 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * https://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.web.servlet.tags; 018 019import java.io.IOException; 020import javax.servlet.jsp.JspException; 021import javax.servlet.jsp.tagext.BodyContent; 022import javax.servlet.jsp.tagext.BodyTag; 023 024import org.springframework.web.util.JavaScriptUtils; 025 026/** 027 * Custom JSP tag to escape its enclosed body content, 028 * applying HTML escaping and/or JavaScript escaping. 029 * 030 * <p>Provides a "htmlEscape" property for explicitly specifying whether to 031 * apply HTML escaping. If not set, a page-level default (e.g. from the 032 * HtmlEscapeTag) or an application-wide default (the "defaultHtmlEscape" 033 * context-param in web.xml) is used. 034 * 035 * <p>Provides a "javaScriptEscape" property for specifying whether to apply 036 * JavaScript escaping. Can be combined with HTML escaping or used standalone. 037 * 038 * @author Juergen Hoeller 039 * @since 1.1.1 040 * @see org.springframework.web.util.HtmlUtils 041 * @see org.springframework.web.util.JavaScriptUtils 042 */ 043@SuppressWarnings("serial") 044public class EscapeBodyTag extends HtmlEscapingAwareTag implements BodyTag { 045 046 private boolean javaScriptEscape = false; 047 048 private BodyContent bodyContent; 049 050 051 /** 052 * Set JavaScript escaping for this tag, as boolean value. 053 * Default is "false". 054 */ 055 public void setJavaScriptEscape(boolean javaScriptEscape) throws JspException { 056 this.javaScriptEscape = javaScriptEscape; 057 } 058 059 060 @Override 061 protected int doStartTagInternal() { 062 // do nothing 063 return EVAL_BODY_BUFFERED; 064 } 065 066 @Override 067 public void doInitBody() { 068 // do nothing 069 } 070 071 @Override 072 public void setBodyContent(BodyContent bodyContent) { 073 this.bodyContent = bodyContent; 074 } 075 076 @Override 077 public int doAfterBody() throws JspException { 078 try { 079 String content = readBodyContent(); 080 // HTML and/or JavaScript escape, if demanded 081 content = htmlEscape(content); 082 content = (this.javaScriptEscape ? JavaScriptUtils.javaScriptEscape(content) : content); 083 writeBodyContent(content); 084 } 085 catch (IOException ex) { 086 throw new JspException("Could not write escaped body", ex); 087 } 088 return (SKIP_BODY); 089 } 090 091 /** 092 * Read the unescaped body content from the page. 093 * @return the original content 094 * @throws IOException if reading failed 095 */ 096 protected String readBodyContent() throws IOException { 097 return this.bodyContent.getString(); 098 } 099 100 /** 101 * Write the escaped body content to the page. 102 * <p>Can be overridden in subclasses, e.g. for testing purposes. 103 * @param content the content to write 104 * @throws IOException if writing failed 105 */ 106 protected void writeBodyContent(String content) throws IOException { 107 this.bodyContent.getEnclosingWriter().print(content); 108 } 109 110}