Update JavaScriptUtils

Add escaping for <, >, and PS/LS line terminators

Issue: SPR-9983

org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java

 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,21 +21,21 @@ package org.springframework.web.util;
  * Escapes based on the JavaScript 1.5 recommendation.
  *
  * <p>Reference:
- * <a href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Literals#String_Literals">
- * Core JavaScript 1.5 Guide
- * </a>
+ * <a href="https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Values,_variables,_and_literals#String_literals">
+ * JavaScript Guide</a> on Mozilla Developer Network.
  *
  * @author Juergen Hoeller
  * @author Rob Harrop
+ * @author Rossen Stoyanchev
  * @since 1.1.1
  */
 public class JavaScriptUtils {
 
 	/**
-	 * Turn special characters into escaped characters conforming to JavaScript.
-	 * Handles complete character set defined in HTML 4.01 recommendation.
+	 * Turn JavaScript special characters into escaped characters.
+	 *
 	 * @param input the input string
-	 * @return the escaped string
+	 * @return the string with escaped characters
 	 */
 	public static String javaScriptEscape(String input) {
 		if (input == null) {
@@ -73,6 +73,27 @@ public class JavaScriptUtils {
 			else if (c == '\f') {
 				filtered.append("\\f");
 			}
+			else if (c == '\b') {
+				filtered.append("\\b");
+			}
+			// No '\v' in Java, use octal value for VT ascii char
+			else if (c == '\013') {
+				filtered.append("\\v");
+			}
+			else if (c == '<') {
+				filtered.append("\\u003C");
+			}
+			else if (c == '>') {
+				filtered.append("\\u003E");
+			}
+			// Unicode for PS (line terminator in ECMA-262)
+			else if (c == '\u2028') {
+				filtered.append("\\u2028");
+			}
+			// Unicode for LS (line terminator in ECMA-262)
+			else if (c == '\u2029') {
+				filtered.append("\\u2029");
+			}
 			else {
 				filtered.append(c);
 			}

org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java

+/*
+ * Copyright 2004-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.web.util;
+
+import static org.junit.Assert.*;
+
+import java.io.UnsupportedEncodingException;
+
+import org.junit.Test;
+
+/**
+ * Test fixture for {@link JavaScriptUtils}.
+ *
+ * @author Rossen Stoyanchev
+ */
+public class JavaScriptUtilsTests {
+
+	@Test
+	public void escape() {
+		StringBuilder sb = new StringBuilder();
+		sb.append('"');
+		sb.append("'");
+		sb.append("\\");
+		sb.append("/");
+		sb.append("\t");
+		sb.append("\n");
+		sb.append("\r");
+		sb.append("\f");
+		sb.append("\b");
+		sb.append("\013");
+		assertEquals("\\\"\\'\\\\\\/\\t\\n\\n\\f\\b\\v", JavaScriptUtils.javaScriptEscape(sb.toString()));
+	}
+
+	// SPR-9983
+
+	@Test
+	public void escapePsLsLineTerminators() {
+		StringBuilder sb = new StringBuilder();
+		sb.append('\u2028');
+		sb.append('\u2029');
+		String result = JavaScriptUtils.javaScriptEscape(sb.toString());
+
+		assertEquals("\\u2028\\u2029", result);
+	}
+
+	// SPR-9983
+
+	@Test
+	public void escapeLessThanGreaterThanSigns() throws UnsupportedEncodingException {
+		assertEquals("\\u003C\\u003E", JavaScriptUtils.javaScriptEscape("<>"));
+	}
+
+}