Merge branch '4.0.x'

Closes gh-50216

Author: snicoll

module/spring-boot-webflux/src/main/java/org/springframework/boot/webflux/autoconfigure/error/AbstractErrorWebExceptionHandler.java

@@ -17,7 +17,6 @@
 package org.springframework.boot.webflux.autoconfigure.error;
 
 import java.util.Collections;
-import java.util.Date;
 import java.util.List;
 import java.util.Map;
 
@@ -236,17 +235,17 @@ private boolean isTemplateAvailable(String viewName) {
 	protected Mono<ServerResponse> renderDefaultErrorView(ServerResponse.BodyBuilder responseBody,
 			Map<String, @Nullable Object> error) {
 		StringBuilder builder = new StringBuilder();
-		Date timestamp = (Date) error.get("timestamp");
+		Object timestamp = error.get("timestamp");
 		Object message = error.get("message");
 		Object trace = error.get("trace");
 		Object requestId = error.get("requestId");
 		builder.append("<html><body><h1>Whitelabel Error Page</h1>")
 			.append("<p>This application has no configured error view, so you are seeing this as a fallback.</p>")
 			.append("<div id='created'>")
-			.append(timestamp)
+			.append(htmlEscape(timestamp))
 			.append("</div>")
 			.append("<div>[")
-			.append(requestId)
+			.append(htmlEscape(requestId))
 			.append("] There was an unexpected error (type=")
 			.append(htmlEscape(error.get("error")))
 			.append(", status=")

module/spring-boot-webflux/src/test/java/org/springframework/boot/webflux/autoconfigure/error/DefaultErrorWebExceptionHandlerIntegrationTests.java

@@ -430,6 +430,29 @@ void escapeHtmlInDefaultErrorView() {
 			});
 	}
 
+	@Test
+	void escapeHtmlInErrorAttributes() {
+		this.contextRunner.withPropertyValues("spring.mustache.prefix=classpath:/unknown/")
+			.withUserConfiguration(CustomErrorAttributesWithEscaping.class)
+			.run((context) -> {
+				WebTestClient client = getWebClient(context);
+				String body = client.get()
+					.uri("/")
+					.accept(MediaType.TEXT_HTML)
+					.exchange()
+					.expectStatus()
+					.isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR)
+					.expectHeader()
+					.contentType(TEXT_HTML_UTF8)
+					.expectBody(String.class)
+					.returnResult()
+					.getResponseBody();
+				assertThat(body).doesNotContain("<script>")
+					.contains("&lt;script&gt;")
+					.contains("xss-error", "xss-message", "xss-requestId", "xss-timestamp", "xss-trace");
+			});
+	}
+
 	@Test
 	void testExceptionWithNullMessage() {
 		this.contextRunner.withPropertyValues("spring.mustache.prefix=classpath:/unknown/").run((context) -> {
@@ -710,4 +733,29 @@ ErrorAttributes errorAttributes() {
 
 	}
 
+	@Configuration(proxyBeanMethods = false)
+	static class CustomErrorAttributesWithEscaping {
+
+		@Bean
+		ErrorAttributes errorAttributes() {
+			return new DefaultErrorAttributes() {
+
+				@Override
+				public Map<String, @Nullable Object> getErrorAttributes(ServerRequest request,
+						ErrorAttributeOptions options) {
+					Map<String, @Nullable Object> attributes = new LinkedHashMap<>(
+							super.getErrorAttributes(request, options));
+					attributes.put("error", "<script>alert('xss-error')</script>");
+					attributes.put("message", "<script>alert('xss-message')</script>");
+					attributes.put("requestId", "<script>alert('xss-requestId')</script>");
+					attributes.put("timestamp", "<script>alert('xss-timestamp')</script>");
+					attributes.put("trace", "<script>alert('xss-trace')</script>");
+					return attributes;
+				}
+
+			};
+		}
+
+	}
+
 }

module/spring-boot-webmvc/src/main/java/org/springframework/boot/webmvc/autoconfigure/error/ErrorMvcAutoConfiguration.java

@@ -216,7 +216,7 @@ public void render(@Nullable Map<String, ?> model, HttpServletRequest request, H
 			builder.append("<html><body><h1>Whitelabel Error Page</h1>")
 				.append("<p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p>")
 				.append("<div id='created'>")
-				.append(timestamp)
+				.append(htmlEscape(timestamp))
 				.append("</div>")
 				.append("<div>There was an unexpected error (type=")
 				.append(htmlEscape(model.get("error")))

module/spring-boot-webmvc/src/test/java/org/springframework/boot/webmvc/autoconfigure/error/ErrorMvcAutoConfigurationTests.java

@@ -90,6 +90,30 @@ void renderCanUseJavaTimeTypeAsTimestamp() { // gh-23256
 		});
 	}
 
+	@Test
+	void renderEscapesHtmlInErrorAttributes() {
+		this.contextRunner.run((context) -> {
+			View errorView = context.getBean("error", View.class);
+			ErrorAttributes errorAttributes = context.getBean(ErrorAttributes.class);
+			DispatcherServletWebRequest webRequest = createWebRequest(new IllegalStateException("Exception message"),
+					false);
+			Map<String, @Nullable Object> attributes = errorAttributes.getErrorAttributes(webRequest, withAllOptions());
+			attributes.put("error", "<script>alert('xss-error')</script>");
+			attributes.put("message", "<script>alert('xss-message')</script>");
+			attributes.put("timestamp", "<script>alert('xss-timestamp')</script>");
+			attributes.put("trace", "<script>alert('xss-trace')</script>");
+			HttpServletResponse response = webRequest.getResponse();
+			assertThat(response).isNotNull();
+			errorView.render(attributes, webRequest.getRequest(), response);
+			String responseString = ((MockHttpServletResponse) response).getContentAsString();
+			assertThat(responseString).contains("&lt;script&gt;alert(&#39;xss-error&#39;)&lt;/script&gt;")
+				.contains("&lt;script&gt;alert(&#39;xss-message&#39;)&lt;/script&gt;")
+				.contains("&lt;script&gt;alert(&#39;xss-timestamp&#39;)&lt;/script&gt;")
+				.contains("&lt;script&gt;alert(&#39;xss-trace&#39;)&lt;/script&gt;")
+				.doesNotContain("<script>");
+		});
+	}
+
 	@Test
 	void renderWhenAlreadyCommittedLogsMessage(CapturedOutput output) {
 		this.contextRunner.run((context) -> {