Headline
CVE-2022-1782: added option to escape HTML when compiling Mustache templates · Erudika/para@9d844f3
Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11.
@@ -330,13 +330,13 @@ public static String markdownToHtml(String markdownString, boolean htmlTagsRende
* @param template a Mustache template
* @return the compiled template string
*/
public static String compileMustache(Map<String, Object> context, String template) {
public static String compileMustache(Map<String, Object> context, String template, boolean escapeHtml) {
if (context == null || StringUtils.isBlank(template)) {
return "";
}
Writer writer = new StringWriter();
try {
Mustache.compiler().escapeHTML(false).emptyStringIsFalse(true).compile(template).execute(context, writer);
Mustache.compiler().escapeHTML(escapeHtml).emptyStringIsFalse(true).compile(template).execute(context, writer);
} finally {
try {
writer.close();
@@ -347,6 +347,16 @@ public static String compileMustache(Map<String, Object> context, String templat
return writer.toString();
}
/**
* @see #compileMustache(java.util.Map, java.lang.String, boolean)
* @param context a map of fields and values
* @param template a Mustache template
* @return the compiled template string
*/
public static String compileMustache(Map<String, Object> context, String template) {
return compileMustache(context, template, false);
}
/**
* Abbreviates a string.
* @param str a string