[
https://issues.apache.org/jira/browse/GROOVY-7615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14940318#comment-14940318
]
Balachandran Sivakumar commented on GROOVY-7615:
------------------------------------------------
Shall I add a bunch of test cases for the MarkupTemplateEngine class so that
this gets caught easily ?
> MarkupTemplateBuilder autoEscape only escapes top level model properties
> ------------------------------------------------------------------------
>
> Key: GROOVY-7615
> URL: https://issues.apache.org/jira/browse/GROOVY-7615
> Project: Groovy
> Issue Type: Bug
> Components: Templating
> Affects Versions: 2.4.4
> Reporter: Rainer Schmitz
>
> {{TemplateConfiguration.setAutoEscape(true)}} only affects values in models
> top level. Nested values will not be escaped.
> Example:
> {code}import groovy.text.markup.MarkupTemplateEngine
> import groovy.text.markup.TemplateConfiguration
> def tplConf = new TemplateConfiguration()
> tplConf.autoEscape = true
> def engine = new MarkupTemplateEngine(tplConf)
> def template = engine.createTemplate ('''
> html {
> body {
> div(unsafeContents)
> div(nested.unsafe)
> }
> }
> ''')
> model = new HashMap<String,Object>();
> model.put("unsafeContents", "I am an <html> hacker.");
> model.put("nested", [unsafe: "I am an <html> hacker."]);
> Writable output = template.make(model)
> assert '<html><body><div>I am an <html> hacker.</div><div>I am an
> <html> hacker.</div></body></html>' == output.toString(){code}
> {{div(nested.unsafe)}} is not escaped.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
