[PR] Fix CSP style-src nonce policy and escape unsafe HTML output paths [struts]

[via GitHub]

metsw24-max opened a new pull request, #1720:
URL: https://github.com/apache/struts/pull/1720

   This PR fixes three framework-side output safety issues related to CSP 
policy generation and HTML escaping.
   
   All existing tests pass after the changes.
   
   ## Fix 1: radiomap.ftl attribute escaping
   
   ### Problem
   
   `radiomap.ftl` used:
   
   ```ftl
   ${attributes.name?no_esc}
   ```
   
   without pre-sanitizing `"` characters.
   
   Unlike other form templates, this bypassed FreeMarker auto-escaping entirely 
and allowed a double quote to break out of the HTML attribute context.
   
   ### Fix
   
   Escape only double quotes before `?no_esc`:
   
   ```ftl
   ${attributes.name?replace('"', '"')?no_esc}
   ```
   
   Single quotes are intentionally preserved because Struts OGNL map syntax may 
legitimately contain them:
   
   ```text
   myMap['key']
   ```
   
   Files changed:
   
   * `template/simple/radiomap.ftl`
   * `template/html5/radiomap.ftl`
   
   ---
   
   ## Fix 2: CSP policy missing `style-src`
   
   ### Problem
   
   The framework propagates CSP nonces to generated `<link>` and `<script>` 
tags, but the default CSP policy only defined:
   
   ```text
   script-src 'nonce-...'
   ```
   
   No `style-src` directive existed, meaning style nonces were not enforced by 
browsers.
   
   ### Fix
   
   Added:
   
   * `STYLE_SRC` constant to `CspSettings`
   * `style-src 'nonce-...' ...` directive generation in `DefaultCspSettings`
   
   Also updated CSP interceptor tests to validate the new policy format.
   
   Files changed:
   
   * `CspSettings.java`
   * `DefaultCspSettings.java`
   * `CspInterceptorTest.java`
   
   ---
   
   ## Fix 3: unescaped redirect body output
   
   ### Problem
   
   `ServletRedirectResult` wrote the raw redirect URL directly into the HTML 
response body when using non-302 status codes:
   
   ```java
   response.getWriter().write(finalLocation);
   ```
   
   Since `finalLocation` may contain OGNL-evaluated values, 
framework-controlled HTML output should always be escaped before rendering.
   
   ### Fix
   
   Escape the response body output using Apache Commons Text:
   
   ```java
   StringEscapeUtils.escapeHtml4(finalLocation)
   ```
   
   The `Location` response header itself remains unchanged.
   
   Files changed:
   
   * `ServletRedirectResult.java`
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@struts.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org