Issue453.java

package org.jooby.issues;

import org.jooby.test.ServerFeature;
import org.junit.Test;

public class Issue453 extends ServerFeature {

  public static class Form {
    public String text;
  }

  {
    get("/453", req -> {
      return req.param("text", "html").value();
    });

    get("/453/h", req -> {
      return req.header("text", "html").value();
    });

    get("/453/escape-params", req -> {
      return req.params(Form.class, req.param("xss").value("html")).text;
    });

    get("/453/escape-form", req -> {
      return req.form(Form.class, req.param("xss").value("html")).text;
    });

    get("/453/to-escape-form", req -> {
      return req.params(req.param("xss").value("html")).to(Form.class).text;
    });

    err((req, rsp, x) -> {
      rsp.send(x.toMap().get("message"));
    });
  }

  @Test
  public void escape() throws Exception {
    request()
        .get("/453?text=%3Ch1%3EX%3C/h1%3E")
        .expect("<h1>X</h1>");

    request()
        .get("/453/h")
        .header("text", "<h1>X</h1>")
        .expect("<h1>X</h1>");
  }

  @Test
  public void escapeForm() throws Exception {
    request()
        .get("/453/escape-form?text=%3Ch1%3EX%3C/h1%3E")
        .expect("<h1>X</h1>");

    request()
        .get("/453/escape-params?text=%3Ch1%3EX%3C/h1%3E")
        .expect("<h1>X</h1>");

    request()
        .get("/453/escape-form?text=%3Ch1%3EX%3C/h1%3E&xss=none")
        .expect("<h1>X</h1>");

    request()
        .get("/453/to-escape-form?text=%3Ch1%3EX%3C/h1%3E")
        .expect("<h1>X</h1>");
  }

}