HtmlUtils properly escapes single quotes as well

Author: jhoeller

org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/HtmlEscapeTagTests.java

@@ -1,12 +1,12 @@
 /*
- * Copyright 2002-2005 the original author or authors.
- * 
+ * Copyright 2002-2011 the original author or authors.
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,8 +18,8 @@
 
 import javax.servlet.jsp.JspException;
 import javax.servlet.jsp.PageContext;
-import javax.servlet.jsp.tagext.Tag;
 import javax.servlet.jsp.tagext.BodyTag;
+import javax.servlet.jsp.tagext.Tag;
 
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.web.util.WebUtils;
@@ -176,7 +176,7 @@ protected void writeBodyContent(String content) {
 		tag.setJavaScriptEscape("true");
 		assertEquals(BodyTag.EVAL_BODY_BUFFERED, tag.doStartTag());
 		assertEquals(Tag.SKIP_BODY, tag.doAfterBody());
-		assertEquals("Correct content", "\\' test & text \\\\", result.toString());
+		assertEquals("Correct content", "' test & text \\\\", result.toString());
 	}
 
 }

org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/MessageTagTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2007 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,7 +19,6 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.Locale;
-
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.jsp.JspException;
@@ -347,7 +346,7 @@ protected void writeMessage(String msg) {
 		tag.setHtmlEscape("true");
 		tag.setJavaScriptEscape("true");
 		assertTrue("Correct doStartTag return value", tag.doStartTag() == Tag.EVAL_BODY_INCLUDE);
-		assertEquals("Correct message", "\\' test & text \\\\", message.toString());
+		assertEquals("Correct message", "' test & text \\\\", message.toString());
 	}
 
 	public void testMessageWithVarAndScope() throws JspException {

org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -174,7 +174,7 @@ public void testXSSScriptingExploitWhenActionIsResolvedFromQueryString() throws
 		String xssQueryString = QUERY_STRING + "&stuff=\"><script>alert('XSS!')</script>";
 		request.setQueryString(xssQueryString);
 		tag.doStartTag();
-		assertEquals("<form id=\"command\" action=\"/my/form?foo=bar&amp;stuff=&quot;&gt;&lt;script&gt;alert('XSS!')&lt;/script&gt;\" method=\"post\">",
+		assertEquals("<form id=\"command\" action=\"/my/form?foo=bar&amp;stuff=&quot;&gt;&lt;script&gt;alert(&#39;XSS!&#39;)&lt;/script&gt;\" method=\"post\">",
 				getOutput());
 	}
 

org.springframework.web/src/test/java/org/springframework/web/bind/EscapedErrorsTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2006 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,20 +16,23 @@
 
 package org.springframework.web.bind;
 
-import junit.framework.TestCase;
+import org.junit.Test;
 
 import org.springframework.beans.TestBean;
 import org.springframework.validation.BindException;
 import org.springframework.validation.Errors;
 import org.springframework.validation.FieldError;
 import org.springframework.validation.ObjectError;
 
+import static org.junit.Assert.*;
+
 /**
  * @author Juergen Hoeller
  * @since 02.05.2003
  */
-public class EscapedErrorsTests extends TestCase {
+public class EscapedErrorsTests {
 
+	@Test
 	public void testEscapedErrors() {
 		TestBean tb = new TestBean();
 		tb.setName("empty &");
@@ -47,11 +50,11 @@ public void testEscapedErrors() {
 		assertTrue("Correct global errors flag", errors.hasGlobalErrors());
 		assertTrue("Correct number of global errors", errors.getGlobalErrorCount() == 1);
 		ObjectError globalError = errors.getGlobalError();
-		assertTrue("Global error message escaped", "message: " '".equals(globalError.getDefaultMessage()));
+		assertTrue("Global error message escaped", "message: " '".equals(globalError.getDefaultMessage()));
 		assertTrue("Global error code not escaped", "GENERAL_ERROR \" '".equals(globalError.getCode()));
-		ObjectError globalErrorInList = (ObjectError) errors.getGlobalErrors().get(0);
+		ObjectError globalErrorInList = errors.getGlobalErrors().get(0);
 		assertTrue("Same global error in list", globalError.getDefaultMessage().equals(globalErrorInList.getDefaultMessage()));
-		ObjectError globalErrorInAllList = (ObjectError) errors.getAllErrors().get(3);
+		ObjectError globalErrorInAllList = errors.getAllErrors().get(3);
 		assertTrue("Same global error in list", globalError.getDefaultMessage().equals(globalErrorInAllList.getDefaultMessage()));
 
 		assertTrue("Correct field errors flag", errors.hasFieldErrors());
@@ -60,7 +63,7 @@ public void testEscapedErrors() {
 		FieldError fieldError = errors.getFieldError();
 		assertTrue("Field error code not escaped", "NAME_EMPTY &".equals(fieldError.getCode()));
 		assertTrue("Field value escaped", "empty &".equals(errors.getFieldValue("name")));
-		FieldError fieldErrorInList = (FieldError) errors.getFieldErrors().get(0);
+		FieldError fieldErrorInList = errors.getFieldErrors().get(0);
 		assertTrue("Same field error in list", fieldError.getDefaultMessage().equals(fieldErrorInList.getDefaultMessage()));
 
 		assertTrue("Correct name errors flag", errors.hasFieldErrors("name"));
@@ -70,7 +73,7 @@ public void testEscapedErrors() {
 		assertTrue("Name error message escaped", "message: &".equals(nameError.getDefaultMessage()));
 		assertTrue("Name error code not escaped", "NAME_EMPTY &".equals(nameError.getCode()));
 		assertTrue("Name value escaped", "empty &".equals(errors.getFieldValue("name")));
-		FieldError nameErrorInList = (FieldError) errors.getFieldErrors("name").get(0);
+		FieldError nameErrorInList = errors.getFieldErrors("name").get(0);
 		assertTrue("Same name error in list", nameError.getDefaultMessage().equals(nameErrorInList.getDefaultMessage()));
 
 		assertTrue("Correct age errors flag", errors.hasFieldErrors("age"));
@@ -80,9 +83,9 @@ public void testEscapedErrors() {
 		assertTrue("Age error message escaped", "message: <tag>".equals(ageError.getDefaultMessage()));
 		assertTrue("Age error code not escaped", "AGE_NOT_SET <tag>".equals(ageError.getCode()));
 		assertTrue("Age value not escaped", (new Integer(0)).equals(errors.getFieldValue("age")));
-		FieldError ageErrorInList = (FieldError) errors.getFieldErrors("age").get(0);
+		FieldError ageErrorInList = errors.getFieldErrors("age").get(0);
 		assertTrue("Same name error in list", ageError.getDefaultMessage().equals(ageErrorInList.getDefaultMessage()));
-		FieldError ageError2 = (FieldError) errors.getFieldErrors("age").get(1);
+		FieldError ageError2 = errors.getFieldErrors("age").get(1);
 		assertTrue("Age error 2 message escaped", "message: &lt;tag&gt;".equals(ageError2.getDefaultMessage()));
 		assertTrue("Age error 2 code not escaped", "AGE_NOT_32 <tag>".equals(ageError2.getCode()));
 	}

org.springframework.web/src/test/java/org/springframework/web/util/HtmlCharacterEntityReferencesTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2005 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,16 +24,19 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import junit.framework.TestCase;
+import org.junit.Test;
+
+import static org.junit.Assert.*;
 
 /**
  * @author Martin Kersten
  * @author Juergen Hoeller
  */
-public class HtmlCharacterEntityReferencesTests extends TestCase {
+public class HtmlCharacterEntityReferencesTests {
 
 	private static final String DTD_FILE = "HtmlCharacterEntityReferences.dtd";
 
+	@Test
 	public void testSupportsAllCharacterEntityReferencesDefinedByHtml() {
 		HtmlCharacterEntityReferences entityReferences = new HtmlCharacterEntityReferences();
 		Map referenceCharactersMap = getReferenceCharacterMap();
@@ -49,8 +52,12 @@ public void testSupportsAllCharacterEntityReferencesDefinedByHtml() {
 						entityReferences.isMappedToReference((char) character));
 				assertEquals("The reference of unicode character " + character + " should be entity " + referenceName,
 						fullReference, entityReferences.convertToReference((char) character));
-				assertEquals("The entity reference [" + referenceName + "] should be mapped to unicode character " + character,
-						(char) character, entityReferences.convertToCharacter(referenceName));
+				assertEquals("The entity reference [" + referenceName + "] should be mapped to unicode character " +
+						character, (char) character, entityReferences.convertToCharacter(referenceName));
+			}
+			else if (character == 39) {
+				assertTrue(entityReferences.isMappedToReference((char) character));
+				assertEquals("'", entityReferences.convertToReference((char) character));
 			}
 			else {
 				assertFalse("The unicode character " + character + " should not be mapped to a reference",
@@ -61,17 +68,17 @@ public void testSupportsAllCharacterEntityReferencesDefinedByHtml() {
 		}
 
 		assertEquals("The registered entity count of entityReferences should match the number of entity references",
-				referenceCharactersMap.size(), entityReferences.getSupportedReferenceCount());
-		assertEquals("The HTML 4.0 Standard defines 252 entity references so do entityReferences",
-				252, entityReferences.getSupportedReferenceCount());
+				referenceCharactersMap.size() + 1, entityReferences.getSupportedReferenceCount());
+		assertEquals("The HTML 4.0 Standard defines 252+1 entity references so do entityReferences",
+				252 + 1, entityReferences.getSupportedReferenceCount());
 
-		assertEquals("Invalid entity reference names should not be convertable",
+		assertEquals("Invalid entity reference names should not be convertible",
 				(char) -1, entityReferences.convertToCharacter("invalid"));
 	}
 
 	private Map getReferenceCharacterMap() {
 		CharacterEntityResourceIterator entityIterator = new CharacterEntityResourceIterator();
-		Map referencedCharactersMap = new HashMap();
+		Map<Integer, String> referencedCharactersMap = new HashMap<Integer, String>();
 		while (entityIterator.hasNext()) {
 			int character = entityIterator.getReferredCharacter();
 			String entityName = entityIterator.nextEntry();
@@ -103,7 +110,7 @@ public CharacterEntityResourceIterator() {
 		}
 
 		public boolean hasNext() {
-			return (currentEntityName != null ? true : readNextEntity());
+			return (currentEntityName != null || readNextEntity());
 		}
 
 		public String nextEntry() {