Fix FreeMarker escaping regression for messages and separators

jhoeller · jhoeller · commit 75f26eec9818 · 2018-06-28T16:41:33.000+02:00
Issue: SPR-16951 (cherry picked from commit 08e1c8c)
diff --git a/spring-webmvc/src/main/resources/org/springframework/web/servlet/view/freemarker/spring.ftl b/spring-webmvc/src/main/resources/org/springframework/web/servlet/view/freemarker/spring.ftl
@@ -25,68 +25,68 @@
  *
  * Macro to translate a message code into a message.
  -->
-<#macro message code>${springMacroRequestContext.getMessage(code)}</#macro>
+<#macro message code>${springMacroRequestContext.getMessage(code)?no_esc}</#macro>
 
 <#--
  * messageText
  *
  * Macro to translate a message code into a message,
  * using the given default text if no message found.
  -->
-<#macro messageText code, text>${springMacroRequestContext.getMessage(code, text)}</#macro>
+<#macro messageText code, text>${springMacroRequestContext.getMessage(code, text)?no_esc}</#macro>
 
 <#--
  * messageArgs
  *
  * Macro to translate a message code with arguments into a message.
  -->
-<#macro messageArgs code, args>${springMacroRequestContext.getMessage(code, args)}</#macro>
+<#macro messageArgs code, args>${springMacroRequestContext.getMessage(code, args)?no_esc}</#macro>
 
 <#--
  * messageArgsText
  *
  * Macro to translate a message code with arguments into a message,
  * using the given default text if no message found.
  -->
-<#macro messageArgsText code, args, text>${springMacroRequestContext.getMessage(code, args, text)}</#macro>
+<#macro messageArgsText code, args, text>${springMacroRequestContext.getMessage(code, args, text)?no_esc}</#macro>
 
 <#--
  * theme
  *
  * Macro to translate a theme message code into a message.
  -->
-<#macro theme code>${springMacroRequestContext.getThemeMessage(code)}</#macro>
+<#macro theme code>${springMacroRequestContext.getThemeMessage(code)?no_esc}</#macro>
 
 <#--
  * themeText
  *
  * Macro to translate a theme message code into a message,
  * using the given default text if no message found.
  -->
-<#macro themeText code, text>${springMacroRequestContext.getThemeMessage(code, text)}</#macro>
+<#macro themeText code, text>${springMacroRequestContext.getThemeMessage(code, text)?no_esc}</#macro>
 
 <#--
  * themeArgs
  *
  * Macro to translate a theme message code with arguments into a message.
  -->
-<#macro themeArgs code, args>${springMacroRequestContext.getThemeMessage(code, args)}</#macro>
+<#macro themeArgs code, args>${springMacroRequestContext.getThemeMessage(code, args)?no_esc}</#macro>
 
 <#--
  * themeArgsText
  *
  * Macro to translate a theme message code with arguments into a message,
  * using the given default text if no message found.
  -->
-<#macro themeArgsText code, args, text>${springMacroRequestContext.getThemeMessage(code, args, text)}</#macro>
+<#macro themeArgsText code, args, text>${springMacroRequestContext.getThemeMessage(code, args, text)?no_esc}</#macro>
 
 <#--
  * url
  *
  * Takes a relative URL and makes it absolute from the server root by
  * adding the context root for the web application.
  -->
-<#macro url relativeUrl extra...><#if extra?? && extra?size!=0>${springMacroRequestContext.getContextUrl(relativeUrl,extra)}<#else>${springMacroRequestContext.getContextUrl(relativeUrl)}</#if></#macro>
+<#macro url relativeUrl extra...><#if extra?? && extra?size!=0>${springMacroRequestContext.getContextUrl(relativeUrl,extra)?no_esc}<#else>${springMacroRequestContext.getContextUrl(relativeUrl)?no_esc}</#if></#macro>
 
 <#--
  * bind
@@ -109,9 +109,9 @@
  *   spring.status : a BindStatus instance holding the command object name,
  *   expression, value, and error messages and codes for the path supplied
  *
- * @param path : the path (string value) of the value required to bind to.
- *   Spring defaults to a command name of "command" but this can be overridden
- *   by user config.
+ * @param path the path (string value) of the value required to bind to.
+ *     Spring defaults to a command name of "command" but this can be
+ *     overridden by user configuration.
  -->
 <#macro bind path>
     <#if htmlEscape?exists>
@@ -152,8 +152,8 @@
  * of a command or bean.
  *
  * @param path the name of the field to bind to
- * @param attributes any additional attributes for the element (such as class
- *    or CSS styles or size
+ * @param attributes any additional attributes for the element
+ *    (such as class or CSS styles or size)
  -->
 <#macro formInput path attributes="" fieldType="text">
     <@bind path/>
@@ -169,8 +169,8 @@
  * of 'password'.
  *
  * @param path the name of the field to bind to
- * @param attributes any additional attributes for the element (such as class
- *    or CSS styles or size
+ * @param attributes any additional attributes for the element
+ *    (such as class or CSS styles or size)
  -->
 <#macro formPasswordInput path attributes="">
     <@formInput path, attributes, "password"/>
@@ -184,8 +184,8 @@
  * the formInput macro with a 'type' parameter of 'hidden'.
  *
  * @param path the name of the field to bind to
- * @param attributes any additional attributes for the element (such as class
- *    or CSS styles or size
+ * @param attributes any additional attributes for the element
+ *    (such as class or CSS styles or size)
  -->
 <#macro formHiddenInput path attributes="">
     <@formInput path, attributes, "hidden"/>
@@ -197,8 +197,8 @@
  * Display a text area and bind it to an attribute of a command or bean.
  *
  * @param path the name of the field to bind to
- * @param attributes any additional attributes for the element (such as class
- *    or CSS styles or size
+ * @param attributes any additional attributes for the element
+ *    (such as class or CSS styles or size)
  -->
 <#macro formTextarea path attributes="">
     <@bind path/>
@@ -214,8 +214,8 @@ ${stringStatusValue}</textarea>
  *
  * @param path the name of the field to bind to
  * @param options a map (value=label) of all the available options
- * @param attributes any additional attributes for the element (such as class
- *    or CSS styles or size
+ * @param attributes any additional attributes for the element
+ *    (such as class or CSS styles or size)
 -->
 <#macro formSingleSelect path options attributes="">
     <@bind path/>
@@ -240,8 +240,8 @@ ${stringStatusValue}</textarea>
  *
  * @param path the name of the field to bind to
  * @param options a map (value=label) of all the available options
- * @param attributes any additional attributes for the element (such as class
- *    or CSS styles or size
+ * @param attributes any additional attributes for the element
+ *    (such as class or CSS styles or size)
 -->
 <#macro formMultiSelect path options attributes="">
     <@bind path/>
@@ -260,17 +260,17 @@ ${stringStatusValue}</textarea>
  *
  * @param path the name of the field to bind to
  * @param options a map (value=label) of all the available options
- * @param separator the html tag or other character list that should be used to
- *    separate each option. Typically '&nbsp;' or '<br>'
- * @param attributes any additional attributes for the element (such as class
- *    or CSS styles or size
+ * @param separator the HTML tag or other character list that should be used to
+ *    separate each option (typically '&nbsp;' or '<br>')
+ * @param attributes any additional attributes for the element
+ *    (such as class or CSS styles or size)
 -->
 <#macro formRadioButtons path options separator attributes="">
     <@bind path/>
     <#list options?keys as value>
     <#assign id="${status.expression?replace('[','')?replace(']','')}${value_index}">
     <input type="radio" id="${id}" name="${status.expression}" value="${value}"<#if stringStatusValue == value> checked="checked"</#if> ${attributes?no_esc}<@closeTag/>
-    <label for="${id}">${options[value]}</label>${separator}
+    <label for="${id}">${options[value]}</label>${separator?no_esc}
     </#list>
 </#macro>
 
@@ -281,18 +281,18 @@ ${stringStatusValue}</textarea>
  *
  * @param path the name of the field to bind to
  * @param options a map (value=label) of all the available options
- * @param separator the html tag or other character list that should be used to
- *    separate each option. Typically '&nbsp;' or '<br>'
- * @param attributes any additional attributes for the element (such as class
- *    or CSS styles or size
+ * @param separator the HTML tag or other character list that should be used to
+ *    separate each option (typically '&nbsp;' or '<br>')
+ * @param attributes any additional attributes for the element
+ *    (such as class or CSS styles or size)
 -->
 <#macro formCheckboxes path options separator attributes="">
     <@bind path/>
     <#list options?keys as value>
     <#assign id="${status.expression?replace('[','')?replace(']','')}${value_index}">
     <#assign isSelected = contains(status.actualValue?default([""]), value)>
     <input type="checkbox" id="${id}" name="${status.expression}" value="${value}"<#if isSelected> checked="checked"</#if> ${attributes?no_esc}<@closeTag/>
-    <label for="${id}">${options[value]}</label>${separator}
+    <label for="${id}">${options[value]}</label>${separator?no_esc}
     </#list>
     <input type="hidden" name="_${status.expression}" value="on"/>
 </#macro>
@@ -303,8 +303,8 @@ ${stringStatusValue}</textarea>
  * Show a single checkbox.
  *
  * @param path the name of the field to bind to
- * @param attributes any additional attributes for the element (such as class
- *    or CSS styles or size
+ * @param attributes any additional attributes for the element
+ *    (such as class or CSS styles or size)
 -->
 <#macro formCheckbox path attributes="">
 	<@bind path />
@@ -320,12 +320,12 @@ ${stringStatusValue}</textarea>
  * Show validation errors for the currently bound field, with
  * optional style attributes.
  *
- * @param separator the html tag or other character list that should be used to
- *    separate each option. Typically '<br>'.
+ * @param separator the HTML tag or other character list that should be used to
+ *    separate each option (typically '&nbsp;' or '<br>')
  * @param classOrStyle either the name of a CSS class element (which is defined in
- *    the template or an external CSS file) or an inline style. If the value passed in here
- *    contains a colon (:) then a 'style=' attribute will be used, else a 'class=' attribute
- *    will be used.
+ *    the template or an external CSS file) or an inline style. If the value passed
+ *    in here contains a colon (:) then a 'style=' attribute will be used,
+ *    otherwise a 'class=' attribute will be used.
 -->
 <#macro showErrors separator classOrStyle="">
     <#list status.errorMessages as error>
@@ -335,7 +335,7 @@ ${stringStatusValue}</textarea>
         <#if classOrStyle?index_of(":") == -1><#assign attr="class"><#else><#assign attr="style"></#if>
         <span ${attr}="${classOrStyle}">${error}</span>
     </#if>
-    <#if error_has_next>${separator}</#if>
+    <#if error_has_next>${separator?no_esc}</#if>
     </#list>
 </#macro>
 
