Polish contribution

See gh-50205

Author: snicoll

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/reactive/error/DefaultErrorWebExceptionHandlerIntegrationTests.java

@@ -461,9 +461,9 @@ void escapeHtmlInDefaultErrorView() {
 	}
 
 	@Test
-	void escapeHtmlInTimestampAndRequestIdAttributes() {
+	void escapeHtmlInErrorAttributes() {
 		this.contextRunner.withPropertyValues("spring.mustache.prefix=classpath:/unknown/")
-			.withUserConfiguration(CustomErrorAttributesWithHtmlInTimestampAndRequestId.class)
+			.withUserConfiguration(CustomErrorAttributesWithEscaping.class)
 			.run((context) -> {
 				WebTestClient client = getWebClient(context);
 				String body = client.get()
@@ -477,7 +477,9 @@ void escapeHtmlInTimestampAndRequestIdAttributes() {
 					.expectBody(String.class)
 					.returnResult()
 					.getResponseBody();
-				assertThat(body).doesNotContain("<script>").contains("&lt;script&gt;");
+				assertThat(body).doesNotContain("<script>")
+					.contains("&lt;script&gt;")
+					.contains("xss-error", "xss-message", "xss-requestId", "xss-timestamp", "xss-trace");
 			});
 	}
 
@@ -803,19 +805,20 @@ public Map<String, Object> getErrorAttributes(ServerRequest request, ErrorAttrib
 	}
 
 	@Configuration(proxyBeanMethods = false)
-	static class CustomErrorAttributesWithHtmlInTimestampAndRequestId {
+	static class CustomErrorAttributesWithEscaping {
 
 		@Bean
 		ErrorAttributes errorAttributes() {
 			return new DefaultErrorAttributes() {
 
 				@Override
-				public Map<String, Object> getErrorAttributes(ServerRequest request,
-						ErrorAttributeOptions options) {
-					Map<String, Object> attributes = new LinkedHashMap<>(
-							super.getErrorAttributes(request, options));
-					attributes.put("timestamp", "<script>alert('xss')</script>");
-					attributes.put("requestId", "<script>alert('xss')</script>");
+				public Map<String, Object> getErrorAttributes(ServerRequest request, ErrorAttributeOptions options) {
+					Map<String, Object> attributes = new LinkedHashMap<>(super.getErrorAttributes(request, options));
+					attributes.put("error", "<script>alert('xss-error')</script>");
+					attributes.put("message", "<script>alert('xss-message')</script>");
+					attributes.put("requestId", "<script>alert('xss-requestId')</script>");
+					attributes.put("timestamp", "<script>alert('xss-timestamp')</script>");
+					attributes.put("trace", "<script>alert('xss-trace')</script>");
 					return attributes;
 				}
 

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/servlet/error/ErrorMvcAutoConfigurationTests.java

@@ -86,19 +86,25 @@ void renderCanUseJavaTimeTypeAsTimestamp() { // gh-23256
 	}
 
 	@Test
-	void renderEscapesHtmlInTimestampAttribute() {
+	void renderEscapesHtmlInErrorAttributes() {
 		this.contextRunner.run((context) -> {
 			View errorView = context.getBean("error", View.class);
 			ErrorAttributes errorAttributes = context.getBean(ErrorAttributes.class);
 			DispatcherServletWebRequest webRequest = createWebRequest(new IllegalStateException("Exception message"),
 					false);
 			Map<String, Object> attributes = errorAttributes.getErrorAttributes(webRequest, withAllOptions());
-			attributes.put("timestamp", "<script>alert('xss')</script>");
+			attributes.put("error", "<script>alert('xss-error')</script>");
+			attributes.put("message", "<script>alert('xss-message')</script>");
+			attributes.put("timestamp", "<script>alert('xss-timestamp')</script>");
+			attributes.put("trace", "<script>alert('xss-trace')</script>");
 			HttpServletResponse response = webRequest.getResponse();
 			assertThat(response).isNotNull();
 			errorView.render(attributes, webRequest.getRequest(), response);
 			String responseString = ((MockHttpServletResponse) response).getContentAsString();
-			assertThat(responseString).contains("&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;")
+			assertThat(responseString).contains("&lt;script&gt;alert(&#39;xss-error&#39;)&lt;/script&gt;")
+				.contains("&lt;script&gt;alert(&#39;xss-message&#39;)&lt;/script&gt;")
+				.contains("&lt;script&gt;alert(&#39;xss-timestamp&#39;)&lt;/script&gt;")
+				.contains("&lt;script&gt;alert(&#39;xss-trace&#39;)&lt;/script&gt;")
 				.doesNotContain("<script>");
 		});
 	}