Matcher m = replacant.matcher(parts);
int pos = 0;
while (m.find()) {
- out.print(HTMLEncoder.encodeHTML(parts.substring(pos, m.start())));
+ out.print(escape(vars, parts.substring(pos, m.start())));
String var = store[Integer.parseInt(m.group(1))];
if (var.startsWith("$!")) {
Template.outputVar(out, l, vars, var.substring(3, var.length() - 1), true);
pos = m.end();
}
- out.print(HTMLEncoder.encodeHTML(parts.substring(pos)));
+ out.print(escape(vars, parts.substring(pos)));
+ }
+
+ private String escape(Map<String, Object> vars, String target) {
+ if (vars.containsKey(OUT_KEY_PLAIN)) {
+ return target;
+ }
+ return HTMLEncoder.encodeHTML(target);
}
@Override
package org.cacert.gigi.pages.error;
import java.io.IOException;
+import java.util.Collections;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
- getDefaultTemplate().output(resp.getWriter(), Page.getLanguage(req), null);
+ getDefaultTemplate().output(resp.getWriter(), Page.getLanguage(req), Collections.<String, Object>emptyMap());
}
@Override
--- /dev/null
+package org.cacert.gigi.template;
+
+import static org.junit.Assert.*;
+
+import java.io.PrintWriter;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Locale;
+
+import org.cacert.gigi.localisation.Language;
+import org.cacert.gigi.output.template.Outputable;
+import org.cacert.gigi.output.template.Template;
+import org.junit.Test;
+
+public class TestTemplateUnescaped {
+
+ private String testExecute(HashMap<String, Object> vars, String input) {
+ Template t = new Template(new StringReader(input));
+ StringWriter str = new StringWriter();
+ PrintWriter pw = new PrintWriter(str);
+ t.output(pw, Language.getInstance(Locale.ENGLISH), vars);
+ pw.flush();
+ return str.toString();
+ }
+
+ HashMap<String, Object> vars = new HashMap<>(Collections.<String, Object>singletonMap(Outputable.OUT_KEY_PLAIN, "yes"));
+
+ @Test
+ public void testVarNoEscape() {
+ vars.put("var", "val");
+ assertEquals("vall", testExecute(vars, "<?=$var?>l"));
+ vars.put("var", "val<");
+ assertEquals("val<l", testExecute(vars, "<?=$var?>l"));
+ assertEquals("val<l", testExecute(vars, "<?=$!var?>l"));
+ vars.put("var", "val\">");
+ assertEquals("val\">l", testExecute(vars, "<?=$var?>l"));
+ assertEquals("val\">l", testExecute(vars, "<?=$!var?>l"));
+ }
+
+ @Test
+ public void testTranslateNoEscape() {
+ assertEquals("\"tex<>l", testExecute(vars, "<?=_\"tex<>?>l"));
+ }
+}