Merge branch '6.2.x'

Author: sbrannen

spring-beans/src/testFixtures/java/org/springframework/beans/testfixture/beans/TestBean.java

@@ -60,6 +60,8 @@ public class TestBean implements BeanNameAware, BeanFactoryAware, ITestBean, IOt
 
 	private boolean jedi;
 
+	private String favoriteCafé;
+
 	private ITestBean spouse;
 
 	private String touchy;
@@ -210,6 +212,14 @@ public void setJedi(boolean jedi) {
 		this.jedi = jedi;
 	}
 
+	public String getFavoriteCafé() {
+		return this.favoriteCafé;
+	}
+
+	public void setFavoriteCafé(String favoriteCafé) {
+		this.favoriteCafé = favoriteCafé;
+	}
+
 	@Override
 	public ITestBean getSpouse() {
 		return this.spouse;

spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/OptionWriter.java

@@ -28,6 +28,7 @@
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 import org.springframework.web.servlet.support.BindStatus;
+import org.springframework.web.util.HtmlUtils;
 
 /**
  * Provides supporting functionality to render a list of '{@code option}'
@@ -100,18 +101,25 @@ class OptionWriter {
 
 	private final boolean htmlEscape;
 
+	private final @Nullable String encoding;
+
 
 	/**
-	 * Create a new {@code OptionWriter} for the supplied {@code objectSource}.
+	 * Create a new {@code OptionWriter} for the supplied {@code optionSource}.
 	 * @param optionSource the source of the {@code options} (never {@code null})
 	 * @param bindStatus the {@link BindStatus} for the bound value (never {@code null})
 	 * @param valueProperty the name of the property used to render {@code option} values
 	 * (optional)
 	 * @param labelProperty the name of the property used to render {@code option} labels
 	 * (optional)
+	 * @param htmlEscape whether special characters should be converted into HTML
+	 * character references
+	 * @param encoding the character encoding to use, or {@code null} if response
+	 * encoding should not be used with HTML escaping
 	 */
 	public OptionWriter(Object optionSource, BindStatus bindStatus,
-			@Nullable String valueProperty, @Nullable String labelProperty, boolean htmlEscape) {
+			@Nullable String valueProperty, @Nullable String labelProperty,
+			boolean htmlEscape, @Nullable String encoding) {
 
 		Assert.notNull(optionSource, "'optionSource' must not be null");
 		Assert.notNull(bindStatus, "'bindStatus' must not be null");
@@ -120,6 +128,7 @@ public OptionWriter(Object optionSource, BindStatus bindStatus,
 		this.valueProperty = valueProperty;
 		this.labelProperty = labelProperty;
 		this.htmlEscape = htmlEscape;
+		this.encoding = encoding;
 	}
 
 
@@ -248,7 +257,14 @@ private void renderOption(TagWriter tagWriter, Object item, @Nullable Object val
 	 */
 	private String getDisplayString(@Nullable Object value) {
 		PropertyEditor editor = (value != null ? this.bindStatus.findEditor(value.getClass()) : null);
-		return ValueFormatter.getDisplayString(value, editor, this.htmlEscape);
+		String displayString = ValueFormatter.getDisplayString(value, editor, false);
+		return (this.htmlEscape ? htmlEscape(displayString) : displayString);
+	}
+
+	private String htmlEscape(String content) {
+		return (this.encoding != null ?
+				HtmlUtils.htmlEscape(content, this.encoding) :
+				HtmlUtils.htmlEscape(content));
 	}
 
 	/**

spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/OptionsTag.java

@@ -187,6 +187,7 @@
  * @author Rob Harrop
  * @author Juergen Hoeller
  * @author Scott Andrews
+ * @author Sam Brannen
  * @since 2.0
  */
 @SuppressWarnings("serial")
@@ -306,7 +307,10 @@ protected int writeTagContent(TagWriter tagWriter) throws JspException {
 					(itemValue != null ? ObjectUtils.getDisplayString(evaluate("itemValue", itemValue)) : null);
 			String labelProperty =
 					(itemLabel != null ? ObjectUtils.getDisplayString(evaluate("itemLabel", itemLabel)) : null);
-			OptionsWriter optionWriter = new OptionsWriter(selectName, itemsObject, valueProperty, labelProperty);
+			String encodingToUse =
+					(isResponseEncodedHtmlEscape() ? this.pageContext.getResponse().getCharacterEncoding() : null);
+			OptionsWriter optionWriter =
+					new OptionsWriter(selectName, itemsObject, valueProperty, labelProperty, encodingToUse);
 			optionWriter.writeOptions(tagWriter);
 		}
 		return SKIP_BODY;
@@ -345,9 +349,9 @@ private class OptionsWriter extends OptionWriter {
 		private final @Nullable String selectName;
 
 		public OptionsWriter(@Nullable String selectName, Object optionSource,
-				@Nullable String valueProperty, @Nullable String labelProperty) {
+				@Nullable String valueProperty, @Nullable String labelProperty, @Nullable String encoding) {
 
-			super(optionSource, getBindStatus(), valueProperty, labelProperty, isHtmlEscape());
+			super(optionSource, getBindStatus(), valueProperty, labelProperty, isHtmlEscape(), encoding);
 			this.selectName = selectName;
 		}
 

spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/SelectTag.java

@@ -235,6 +235,7 @@
  *
  * @author Rob Harrop
  * @author Juergen Hoeller
+ * @author Sam Brannen
  * @since 2.0
  * @see OptionTag
  */
@@ -407,8 +408,12 @@ protected int writeTagContent(TagWriter tagWriter) throws JspException {
 							ObjectUtils.getDisplayString(evaluate("itemValue", getItemValue())) : null);
 					String labelProperty = (getItemLabel() != null ?
 							ObjectUtils.getDisplayString(evaluate("itemLabel", getItemLabel())) : null);
+					String encodingToUse = (isResponseEncodedHtmlEscape() ?
+							this.pageContext.getResponse().getCharacterEncoding() : null);
 					OptionWriter optionWriter =
-							new OptionWriter(itemsObject, getBindStatus(), valueProperty, labelProperty, isHtmlEscape()) {
+							new OptionWriter(itemsObject, getBindStatus(), valueProperty, labelProperty,
+									isHtmlEscape(), encodingToUse) {
+
 								@Override
 								protected String processOptionValue(String resolvedValue) {
 									return processFieldValue(selectName, resolvedValue, "option");

spring-webmvc/src/test/java/org/springframework/web/servlet/tags/form/OptionsTagTests.java

@@ -21,6 +21,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -50,6 +51,7 @@
  * @author Juergen Hoeller
  * @author Scott Andrews
  * @author Jeremy Grelle
+ * @author Sam Brannen
  */
 @SuppressWarnings({ "rawtypes", "unchecked" })
 class OptionsTagTests extends AbstractHtmlElementTagTests {
@@ -115,6 +117,86 @@ void withCollection() throws Exception {
 		assertThat(element.attribute("onclick").getValue()).isEqualTo("CLICK");
 	}
 
+	@Test  // gh-35783
+	void withListWithHtmlEscaping() throws Exception {
+		getPageContext().setAttribute(
+				SelectTag.LIST_VALUE_PAGE_ATTRIBUTE, new BindStatus(getRequestContext(), "testBean.country", false));
+
+		this.tag.setItems(List.of("café", "Jane \"I Love Cafés\" Smith"));
+		this.tag.setId("myOption");
+
+		var expectedOutput = """
+				<option id="myOption1" value="caf&eacute;">caf&eacute;</option>
+				<option id="myOption2" value="Jane &quot;I Love Caf&eacute;s&quot; Smith">Jane &quot;I Love Caf&eacute;s&quot; Smith</option>
+				""".replace("\n", "");
+
+		assertThat(this.tag.doStartTag()).isEqualTo(Tag.SKIP_BODY);
+		assertThat(getOutput()).isEqualTo(expectedOutput);
+	}
+
+	@Test  // gh-35783
+	void withListWithHtmlEscapingAndCharacterEncoding() throws Exception {
+		this.getPageContext().getResponse().setCharacterEncoding("UTF-8");
+
+		getPageContext().setAttribute(
+				SelectTag.LIST_VALUE_PAGE_ATTRIBUTE, new BindStatus(getRequestContext(), "testBean.country", false));
+
+		this.tag.setItems(List.of("café", "Jane \"I Love Cafés\" Smith"));
+		this.tag.setId("myOption");
+
+		var expectedOutput = """
+				<option id="myOption1" value="café">café</option>
+				<option id="myOption2" value="Jane &quot;I Love Cafés&quot; Smith">Jane &quot;I Love Cafés&quot; Smith</option>
+				""".replace("\n", "");
+
+		assertThat(this.tag.doStartTag()).isEqualTo(Tag.SKIP_BODY);
+		assertThat(getOutput()).isEqualTo(expectedOutput);
+	}
+
+	@Test  // gh-35783
+	void withMapWithHtmlEscaping() throws Exception {
+		getPageContext().setAttribute(
+				SelectTag.LIST_VALUE_PAGE_ATTRIBUTE, new BindStatus(getRequestContext(), "testBean.country", false));
+
+		var map = new LinkedHashMap<String, String>();
+		map.put("one", "Jane \"I Love Cafés\" Smith");
+		map.put("two", "Joe Café");
+
+		this.tag.setItems(map);
+		this.tag.setId("myOption");
+
+		var expectedOutput = """
+				<option id="myOption1" value="one">Jane &quot;I Love Caf&eacute;s&quot; Smith</option>
+				<option id="myOption2" value="two">Joe Caf&eacute;</option>
+				""".replace("\n", "");
+
+		assertThat(this.tag.doStartTag()).isEqualTo(Tag.SKIP_BODY);
+		assertThat(getOutput()).isEqualTo(expectedOutput);
+	}
+
+	@Test  // gh-35783
+	void withMapWithHtmlEscapingAndCharacterEncoding() throws Exception {
+		this.getPageContext().getResponse().setCharacterEncoding("UTF-8");
+
+		getPageContext().setAttribute(
+				SelectTag.LIST_VALUE_PAGE_ATTRIBUTE, new BindStatus(getRequestContext(), "testBean.country", false));
+
+		var map = new LinkedHashMap<String, String>();
+		map.put("one", "Jane \"I Love Cafés\" Smith");
+		map.put("two", "Joe Café");
+
+		this.tag.setItems(map);
+		this.tag.setId("myOption");
+
+		var expectedOutput = """
+				<option id="myOption1" value="one">Jane &quot;I Love Cafés&quot; Smith</option>
+				<option id="myOption2" value="two">Joe Café</option>
+				""".replace("\n", "");
+
+		assertThat(this.tag.doStartTag()).isEqualTo(Tag.SKIP_BODY);
+		assertThat(getOutput()).isEqualTo(expectedOutput);
+	}
+
 	@Test
 	void withCollectionAndDynamicAttributes() throws Exception {
 		String dynamicAttribute1 = "attr1";