Merge pull request #50205 from kwondh5217

* fix/whitelabel-timestamp-html-escaping:
  Polish contribution
  Apply HTML escaping to timestamp attribute in Whitelabel error page

Closes gh-50205

Author: snicoll

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/error/AbstractErrorWebExceptionHandler.java

@@ -17,7 +17,6 @@
 package org.springframework.boot.autoconfigure.web.reactive.error;
 
 import java.util.Collections;
-import java.util.Date;
 import java.util.List;
 import java.util.Map;
 
@@ -237,17 +236,17 @@ private Resource resolveResource(String viewName) {
 	protected Mono<ServerResponse> renderDefaultErrorView(ServerResponse.BodyBuilder responseBody,
 			Map<String, Object> error) {
 		StringBuilder builder = new StringBuilder();
-		Date timestamp = (Date) error.get("timestamp");
+		Object timestamp = error.get("timestamp");
 		Object message = error.get("message");
 		Object trace = error.get("trace");
 		Object requestId = error.get("requestId");
 		builder.append("<html><body><h1>Whitelabel Error Page</h1>")
 			.append("<p>This application has no configured error view, so you are seeing this as a fallback.</p>")
 			.append("<div id='created'>")
-			.append(timestamp)
+			.append(htmlEscape(timestamp))
 			.append("</div>")
 			.append("<div>[")
-			.append(requestId)
+			.append(htmlEscape(requestId))
 			.append("] There was an unexpected error (type=")
 			.append(htmlEscape(error.get("error")))
 			.append(", status=")

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/error/ErrorMvcAutoConfiguration.java

@@ -213,7 +213,7 @@ public void render(Map<String, ?> model, HttpServletRequest request, HttpServlet
 			builder.append("<html><body><h1>Whitelabel Error Page</h1>")
 				.append("<p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p>")
 				.append("<div id='created'>")
-				.append(timestamp)
+				.append(htmlEscape(timestamp))
 				.append("</div>")
 				.append("<div>There was an unexpected error (type=")
 				.append(htmlEscape(model.get("error")))

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/reactive/error/DefaultErrorWebExceptionHandlerIntegrationTests.java

@@ -460,6 +460,29 @@ void escapeHtmlInDefaultErrorView() {
 			});
 	}
 
+	@Test
+	void escapeHtmlInErrorAttributes() {
+		this.contextRunner.withPropertyValues("spring.mustache.prefix=classpath:/unknown/")
+			.withUserConfiguration(CustomErrorAttributesWithEscaping.class)
+			.run((context) -> {
+				WebTestClient client = getWebClient(context);
+				String body = client.get()
+					.uri("/")
+					.accept(MediaType.TEXT_HTML)
+					.exchange()
+					.expectStatus()
+					.isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR)
+					.expectHeader()
+					.contentType(TEXT_HTML_UTF8)
+					.expectBody(String.class)
+					.returnResult()
+					.getResponseBody();
+				assertThat(body).doesNotContain("<script>")
+					.contains("&lt;script&gt;")
+					.contains("xss-error", "xss-message", "xss-requestId", "xss-timestamp", "xss-trace");
+			});
+	}
+
 	@Test
 	void testExceptionWithNullMessage() {
 		this.contextRunner.withPropertyValues("spring.mustache.prefix=classpath:/unknown/").run((context) -> {
@@ -781,4 +804,27 @@ public Map<String, Object> getErrorAttributes(ServerRequest request, ErrorAttrib
 
 	}
 
+	@Configuration(proxyBeanMethods = false)
+	static class CustomErrorAttributesWithEscaping {
+
+		@Bean
+		ErrorAttributes errorAttributes() {
+			return new DefaultErrorAttributes() {
+
+				@Override
+				public Map<String, Object> getErrorAttributes(ServerRequest request, ErrorAttributeOptions options) {
+					Map<String, Object> attributes = new LinkedHashMap<>(super.getErrorAttributes(request, options));
+					attributes.put("error", "<script>alert('xss-error')</script>");
+					attributes.put("message", "<script>alert('xss-message')</script>");
+					attributes.put("requestId", "<script>alert('xss-requestId')</script>");
+					attributes.put("timestamp", "<script>alert('xss-timestamp')</script>");
+					attributes.put("trace", "<script>alert('xss-trace')</script>");
+					return attributes;
+				}
+
+			};
+		}
+
+	}
+
 }

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/servlet/error/ErrorMvcAutoConfigurationTests.java

@@ -19,6 +19,7 @@
 import java.time.Clock;
 import java.util.Map;
 
+import jakarta.servlet.http.HttpServletResponse;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -84,6 +85,30 @@ void renderCanUseJavaTimeTypeAsTimestamp() { // gh-23256
 		});
 	}
 
+	@Test
+	void renderEscapesHtmlInErrorAttributes() {
+		this.contextRunner.run((context) -> {
+			View errorView = context.getBean("error", View.class);
+			ErrorAttributes errorAttributes = context.getBean(ErrorAttributes.class);
+			DispatcherServletWebRequest webRequest = createWebRequest(new IllegalStateException("Exception message"),
+					false);
+			Map<String, Object> attributes = errorAttributes.getErrorAttributes(webRequest, withAllOptions());
+			attributes.put("error", "<script>alert('xss-error')</script>");
+			attributes.put("message", "<script>alert('xss-message')</script>");
+			attributes.put("timestamp", "<script>alert('xss-timestamp')</script>");
+			attributes.put("trace", "<script>alert('xss-trace')</script>");
+			HttpServletResponse response = webRequest.getResponse();
+			assertThat(response).isNotNull();
+			errorView.render(attributes, webRequest.getRequest(), response);
+			String responseString = ((MockHttpServletResponse) response).getContentAsString();
+			assertThat(responseString).contains("&lt;script&gt;alert(&#39;xss-error&#39;)&lt;/script&gt;")
+				.contains("&lt;script&gt;alert(&#39;xss-message&#39;)&lt;/script&gt;")
+				.contains("&lt;script&gt;alert(&#39;xss-timestamp&#39;)&lt;/script&gt;")
+				.contains("&lt;script&gt;alert(&#39;xss-trace&#39;)&lt;/script&gt;")
+				.doesNotContain("<script>");
+		});
+	}
+
 	@Test
 	void renderWhenAlreadyCommittedLogsMessage(CapturedOutput output) {
 		this.contextRunner.run((context) -> {