001/* 002 * Copyright 2002-2015 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * https://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.web.servlet.tags; 018 019import javax.servlet.jsp.JspException; 020 021import org.springframework.web.util.HtmlUtils; 022 023/** 024 * Superclass for tags that output content that might get HTML-escaped. 025 * 026 * <p>Provides a "htmlEscape" property for explicitly specifying whether to 027 * apply HTML escaping. If not set, a page-level default (e.g. from the 028 * HtmlEscapeTag) or an application-wide default (the "defaultHtmlEscape" 029 * context-param in {@code web.xml}) is used. 030 * 031 * @author Juergen Hoeller 032 * @author Brian Clozel 033 * @since 1.1 034 * @see #setHtmlEscape 035 * @see HtmlEscapeTag 036 * @see org.springframework.web.servlet.support.RequestContext#isDefaultHtmlEscape 037 * @see org.springframework.web.util.WebUtils#getDefaultHtmlEscape 038 * @see org.springframework.web.util.WebUtils#getResponseEncodedHtmlEscape 039 */ 040@SuppressWarnings("serial") 041public abstract class HtmlEscapingAwareTag extends RequestContextAwareTag { 042 043 private Boolean htmlEscape; 044 045 046 /** 047 * Set HTML escaping for this tag, as boolean value. 048 * Overrides the default HTML escaping setting for the current page. 049 * @see HtmlEscapeTag#setDefaultHtmlEscape 050 */ 051 public void setHtmlEscape(boolean htmlEscape) throws JspException { 052 this.htmlEscape = htmlEscape; 053 } 054 055 /** 056 * Return the HTML escaping setting for this tag, 057 * or the default setting if not overridden. 058 * @see #isDefaultHtmlEscape() 059 */ 060 protected boolean isHtmlEscape() { 061 if (this.htmlEscape != null) { 062 return this.htmlEscape.booleanValue(); 063 } 064 else { 065 return isDefaultHtmlEscape(); 066 } 067 } 068 069 /** 070 * Return the applicable default HTML escape setting for this tag. 071 * <p>The default implementation checks the RequestContext's setting, 072 * falling back to {@code false} in case of no explicit default given. 073 * @see #getRequestContext() 074 */ 075 protected boolean isDefaultHtmlEscape() { 076 return getRequestContext().isDefaultHtmlEscape(); 077 } 078 079 /** 080 * Return the applicable default for the use of response encoding with 081 * HTML escaping for this tag. 082 * <p>The default implementation checks the RequestContext's setting, 083 * falling back to {@code false} in case of no explicit default given. 084 * @since 4.1.2 085 * @see #getRequestContext() 086 */ 087 protected boolean isResponseEncodedHtmlEscape() { 088 return getRequestContext().isResponseEncodedHtmlEscape(); 089 } 090 091 /** 092 * HTML-encodes the given String, only if the "htmlEscape" setting is enabled. 093 * <p>The response encoding will be taken into account if the 094 * "responseEncodedHtmlEscape" setting is enabled as well. 095 * @param content the String to escape 096 * @return the escaped String 097 * @since 4.1.2 098 * @see #isHtmlEscape() 099 * @see #isResponseEncodedHtmlEscape() 100 */ 101 protected String htmlEscape(String content) { 102 String out = content; 103 if (isHtmlEscape()) { 104 if (isResponseEncodedHtmlEscape()) { 105 out = HtmlUtils.htmlEscape(content, this.pageContext.getResponse().getCharacterEncoding()); 106 } 107 else { 108 out = HtmlUtils.htmlEscape(content); 109 } 110 } 111 return out; 112 } 113 114}