Ondrej Tokar
Reputation: 5070
How to set defaultHtmlEscape to true without XML in Spring MVC?
I want to avoid using XML configurations and therefore I made my AppConfig class where I have plenty of beans for different purposes.
I can't find how to prevent a XSS by setting defaultHtmlEscape inside my AppConfig. Everything I found was a config per form or globally in XML config.
My AppConfig now:
@EnableJpaRepositories(basePackages="org.maguss.repositories")
@EnableTransactionManagement
@EnableWebMvc
@Configuration
@ComponentScan({ "org.maguss.*" })
@Import({ SecurityConfig.class })
public class AppConfig {
@Bean(name = "dataSource")
public DriverManagerDataSource dataSource() {
DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource();
driverManagerDataSource.setDriverClassName("com.mysql.jdbc.Driver");
driverManagerDataSource.setUrl("jdbc:mysql://127.0.0.1:3306/test");
driverManagerDataSource.setUsername("root");
driverManagerDataSource.setPassword("");
return driverManagerDataSource;
}
@Bean
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/WEB-INF/pages/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
//////////////////////////
@Bean
public LocalContainerEntityManagerFactoryBean entityManagerFactory() {
LocalContainerEntityManagerFactoryBean em = new LocalContainerEntityManagerFactoryBean();
em.setDataSource(dataSource());
em.setPackagesToScan(new String[] { "org.maguss.model" });
JpaVendorAdapter vendorAdapter = new HibernateJpaVendorAdapter();
em.setJpaVendorAdapter(vendorAdapter);
em.setJpaProperties(additionalProperties());
return em;
}
@Bean
public PlatformTransactionManager transactionManager(EntityManagerFactory emf){
JpaTransactionManager transactionManager = new JpaTransactionManager();
transactionManager.setEntityManagerFactory(emf);
return transactionManager;
}
@Bean
public PersistenceExceptionTranslationPostProcessor exceptionTranslation(){
return new PersistenceExceptionTranslationPostProcessor();
}
Properties additionalProperties() {
Properties properties = new Properties();
properties.setProperty("hibernate.hbm2ddl.auto", "update");
// properties.setProperty("hibernate.hbm2ddl.auto", "create");
properties.setProperty("hibernate.dialect", "org.hibernate.dialect.MySQL5Dialect");
return properties;
}
//////////////////////////
}
Upvotes: 0
Views: 3914
Answers (2)
PMah
Reputation: 738
Today I ran into the same question, and found two ways to achieve this.
1. Add an entry to the application.properties file
You can add the following entry to the application.properties file:
server.servlet.context-parameters.defaultHtmlEscape=true
2. Create a WebServerFactoryCustomizer bean
Alternatively, you can create a WebServerFactoryCustomizer bean to apply the customisation:
import java.util.Map;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.boot.web.servlet.server.AbstractServletWebServerFactory;
import org.springframework.stereotype.Component;
import org.springframework.web.util.WebUtils;
@Component
public class WebServerCustomisations
implements WebServerFactoryCustomizer<AbstractServletWebServerFactory>
{
@Override
public void customize(AbstractServletWebServerFactory factory)
{
Map<String, String> initParams = factory.getInitParameters();
initParams.put(WebUtils.HTML_ESCAPE_CONTEXT_PARAM, Boolean.toString(true));
}
}
Note that this method will only be applied for those web servers that have a factory deriving from AbstractServletWebServerFactory. At the moment, it looks like this is Tomcat, Jetty and Undertow.
Upvotes: 2
Ali Dehghani
Reputation: 48133
I guess you should have a AbstractAnnotationConfigDispatcherServletInitializer instead of traditional web.xml, based on that you can:
public class YourServletInititializer extends AbstractAnnotationConfigDispatcherServletInitializer {
// root config, web config and servlet mapping
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
servletContext.setInitParameter("defaultHtmlEscape", "true")
super.onStartup(servletContext);
}
}
Upvotes: 1
Related Questions
- How can I parse XML and get instances of a particular node attribute?
- How to configure port for a Spring Boot application
- How to set or change the default Java (JDK) version on macOS?
- How do you parse and process HTML/XML in PHP?
- How to resolve java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
- How do I comment out a block of tags in XML?
- Spring MVC @PathVariable with dot (.) is getting truncated
- How to respond with an HTTP 400 error in a Spring MVC @ResponseBody method returning String
- Spring BeanCreationException : Bean instantiation via factory method failed nested exception
- What is @ModelAttribute in Spring MVC?