001/* 002 * Copyright 2002-2015 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * https://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.web.servlet.tags; 018 019import javax.servlet.jsp.JspException; 020 021import org.springframework.lang.Nullable; 022import org.springframework.web.util.HtmlUtils; 023 024/** 025 * Superclass for tags that output content that might get HTML-escaped. 026 * 027 * <p>Provides a "htmlEscape" property for explicitly specifying whether to 028 * apply HTML escaping. If not set, a page-level default (e.g. from the 029 * HtmlEscapeTag) or an application-wide default (the "defaultHtmlEscape" 030 * context-param in {@code web.xml}) is used. 031 * 032 * @author Juergen Hoeller 033 * @author Brian Clozel 034 * @since 1.1 035 * @see #setHtmlEscape 036 * @see HtmlEscapeTag 037 * @see org.springframework.web.servlet.support.RequestContext#isDefaultHtmlEscape 038 * @see org.springframework.web.util.WebUtils#getDefaultHtmlEscape 039 * @see org.springframework.web.util.WebUtils#getResponseEncodedHtmlEscape 040 */ 041@SuppressWarnings("serial") 042public abstract class HtmlEscapingAwareTag extends RequestContextAwareTag { 043 044 @Nullable 045 private Boolean htmlEscape; 046 047 048 /** 049 * Set HTML escaping for this tag, as boolean value. 050 * Overrides the default HTML escaping setting for the current page. 051 * @see HtmlEscapeTag#setDefaultHtmlEscape 052 */ 053 public void setHtmlEscape(boolean htmlEscape) throws JspException { 054 this.htmlEscape = htmlEscape; 055 } 056 057 /** 058 * Return the HTML escaping setting for this tag, 059 * or the default setting if not overridden. 060 * @see #isDefaultHtmlEscape() 061 */ 062 protected boolean isHtmlEscape() { 063 if (this.htmlEscape != null) { 064 return this.htmlEscape.booleanValue(); 065 } 066 else { 067 return isDefaultHtmlEscape(); 068 } 069 } 070 071 /** 072 * Return the applicable default HTML escape setting for this tag. 073 * <p>The default implementation checks the RequestContext's setting, 074 * falling back to {@code false} in case of no explicit default given. 075 * @see #getRequestContext() 076 */ 077 protected boolean isDefaultHtmlEscape() { 078 return getRequestContext().isDefaultHtmlEscape(); 079 } 080 081 /** 082 * Return the applicable default for the use of response encoding with 083 * HTML escaping for this tag. 084 * <p>The default implementation checks the RequestContext's setting, 085 * falling back to {@code false} in case of no explicit default given. 086 * @since 4.1.2 087 * @see #getRequestContext() 088 */ 089 protected boolean isResponseEncodedHtmlEscape() { 090 return getRequestContext().isResponseEncodedHtmlEscape(); 091 } 092 093 /** 094 * HTML-encodes the given String, only if the "htmlEscape" setting is enabled. 095 * <p>The response encoding will be taken into account if the 096 * "responseEncodedHtmlEscape" setting is enabled as well. 097 * @param content the String to escape 098 * @return the escaped String 099 * @since 4.1.2 100 * @see #isHtmlEscape() 101 * @see #isResponseEncodedHtmlEscape() 102 */ 103 protected String htmlEscape(String content) { 104 String out = content; 105 if (isHtmlEscape()) { 106 if (isResponseEncodedHtmlEscape()) { 107 out = HtmlUtils.htmlEscape(content, this.pageContext.getResponse().getCharacterEncoding()); 108 } 109 else { 110 out = HtmlUtils.htmlEscape(content); 111 } 112 } 113 return out; 114 } 115 116}