feffi
diff --git a/‎coverage-report/src/test/java/org/jooby/ftl/Issue476FtlXss.java‎
Lines changed: 29 additions & 0 deletions b/‎coverage-report/src/test/java/org/jooby/ftl/Issue476FtlXss.java‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎coverage-report/src/test/java/org/jooby/hbs/Issue476HbsXss.java‎
Lines changed: 31 additions & 0 deletions b/‎coverage-report/src/test/java/org/jooby/hbs/Issue476HbsXss.java‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎coverage-report/src/test/java/org/jooby/jade/Issue476JadeXss.java‎
Lines changed: 29 additions & 0 deletions b/‎coverage-report/src/test/java/org/jooby/jade/Issue476JadeXss.java‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎coverage-report/src/test/java/org/jooby/pebble/Issue476PebbleXss.java‎
Lines changed: 29 additions & 0 deletions b/‎coverage-report/src/test/java/org/jooby/pebble/Issue476PebbleXss.java‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎coverage-report/src/test/resources/org/jooby/ftl/xss.html‎
Lines changed: 5 additions & 0 deletions b/‎coverage-report/src/test/resources/org/jooby/ftl/xss.html‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎coverage-report/src/test/resources/org/jooby/hbs/xss.html‎
Lines changed: 5 additions & 0 deletions b/‎coverage-report/src/test/resources/org/jooby/hbs/xss.html‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎coverage-report/src/test/resources/org/jooby/jade/xss.html.jade‎
Lines changed: 4 additions & 0 deletions b/‎coverage-report/src/test/resources/org/jooby/jade/xss.html.jade‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎coverage-report/src/test/resources/org/jooby/pebble/xss.html‎
Lines changed: 5 additions & 0 deletions b/‎coverage-report/src/test/resources/org/jooby/pebble/xss.html‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎jooby-csl/src/main/java/org/jooby/xss/XSS.java‎
Lines changed: 1 addition & 1 deletion b/‎jooby-csl/src/main/java/org/jooby/xss/XSS.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎jooby-ftl/src/main/java/org/jooby/ftl/Ftl.java‎
Lines changed: 2 additions & 1 deletion b/‎jooby-ftl/src/main/java/org/jooby/ftl/Ftl.java‎
Lines changed: 2 additions & 1 deletion
@@ -0,0 +1,29 @@
+package org.jooby.ftl;
+
+import org.jooby.Results;
+import org.jooby.test.ServerFeature;
+import org.jooby.xss.XSS;
+import org.junit.Test;
+
+public class Issue476FtlXss extends ServerFeature {
+
+  {
+    use(new XSS());
+
+    use(new Ftl());
+
+    get("/", req -> Results.html("org/jooby/ftl/xss").put("input", "<script>alert('xss');</script>"));
+  }
+
+  @Test
+  public void xssFn() throws Exception {
+    request()
+        .get("/")
+        .expect("<!DOCTYPE html>\n" +
+            "<html>\n" +
+            "  <body><a href=\"javascript:hello('&#x5C;u003Cscript&#x5C;u003Ealert%28&#x5C;u0027xss&#x5C;u0027%29%3B&#x5C;u003C&#x5C;u002Fscript&#x5C;u003E')\"></a>\n" +
+            "  </body>\n" +
+            "</html>");
+  }
+
+}
@@ -0,0 +1,31 @@
+package org.jooby.hbs;
+
+import org.jooby.Results;
+import org.jooby.test.ServerFeature;
+import org.jooby.xss.XSS;
+import org.junit.Test;
+
+public class Issue476HbsXss extends ServerFeature {
+
+  {
+    use(new XSS());
+
+    use(new Hbs());
+
+    get("/",
+        req -> Results.html("org/jooby/hbs/xss").put("input", "<script>alert('xss');</script>"));
+  }
+
+  @Test
+  public void xssFn() throws Exception {
+    request()
+        .get("/")
+        .expect("<!DOCTYPE html>\n" +
+            "<html>\n" +
+            "  <body><a href=\"javascript:hello('&#x5C;u003Cscript&#x5C;u003Ealert%28&#x5C;u0027xss&#x5C;u0027%29%3B&#x5C;u003C&#x5C;u002Fscript&#x5C;u003E')\"></a>\n"
+            +
+            "  </body>\n" +
+            "</html>");
+  }
+
+}
@@ -0,0 +1,29 @@
+package org.jooby.jade;
+
+import org.jooby.Results;
+import org.jooby.test.ServerFeature;
+import org.jooby.xss.XSS;
+import org.junit.Test;
+
+public class Issue476JadeXss extends ServerFeature {
+
+  {
+    use(new XSS());
+
+    use(new Jade(".html"));
+
+    get("/",
+        req -> Results.html("org/jooby/jade/xss").put("input", "<script>alert('xss');</script>"));
+  }
+
+  @Test
+  public void xssFn() throws Exception {
+    request()
+        .get("/")
+        .expect("<!DOCTYPE html>\n" +
+            "<html>\n" +
+            "  <body><a href=\"javascript:hello('&amp;#x5C;u003Cscript&amp;#x5C;u003Ealert%28&amp;#x5C;u0027xss&amp;#x5C;u0027%29%3B&amp;#x5C;u003C&amp;#x5C;u002Fscript&amp;#x5C;u003E')\"></a></body>\n" +
+            "</html>");
+  }
+
+}
@@ -0,0 +1,29 @@
+package org.jooby.pebble;
+
+import org.jooby.Results;
+import org.jooby.test.ServerFeature;
+import org.jooby.xss.XSS;
+import org.junit.Test;
+
+public class Issue476PebbleXss extends ServerFeature {
+
+  {
+    use(new XSS());
+
+    use(new Pebble());
+
+    get("/", req -> Results.html("org/jooby/pebble/xss").put("input", "<script>alert('xss');</script>"));
+  }
+
+  @Test
+  public void xssFn() throws Exception {
+    request()
+        .get("/")
+        .expect("<!DOCTYPE html>\n" +
+            "<html>\n" +
+            "  <body><a href=\"javascript:hello('&amp;#x5C;u003Cscript&amp;#x5C;u003Ealert%28&amp;#x5C;u0027xss&amp;#x5C;u0027%29%3B&amp;#x5C;u003C&amp;#x5C;u002Fscript&amp;#x5C;u003E')\"></a>\n" +
+            "  </body>\n" +
+            "</html>");
+  }
+
+}
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<html>
+  <body><a href="javascript:hello('${xss(input, "js", "uri", "html")}')"></a>
+  </body>
+</html>
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<html>
+  <body><a href="javascript:hello('{{xss input 'js' 'uri' 'html'}}')"></a>
+  </body>
+</html>
@@ -0,0 +1,4 @@
+doctype html
+html
+  body
+    a(href= "javascript:hello('" + xss.apply(input, "js", "uri", "html") + "')")
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<html>
+  <body><a href="javascript:hello('{{xss (input, 'js', 'uri', 'html')}}')"></a>
+  </body>
+</html>
@@ -57,7 +57,7 @@
  * If you want to learn more about nested context and why they are important have a look at this
  * <a href=
  * "http://security.coverity.com/document/2013/Mar/fixing-xss-a-practical-guide-for-developers.html">nice
- * guide</code> from
+ * guide</a> from
  * <a href="https://github.com/coverity/coverity-security-library">coverity-security-library</a>.
  * </p>
  *
 
@@ -28,6 +28,7 @@
 import org.jooby.Renderer;
 import org.jooby.internal.ftl.Engine;
 import org.jooby.internal.ftl.GuavaCacheStorage;
+import org.jooby.internal.ftl.XssDirective;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -194,7 +195,7 @@ public void configure(final Env env, final Config config, final Binder binder) {
 
       binder.bind(Configuration.class).toInstance(freemarker);
 
-      Engine engine = new Engine(freemarker, suffix);
+      Engine engine = new Engine(freemarker, suffix, new XssDirective(env));
 
       Multibinder.newSetBinder(binder, Renderer.class)
           .addBinding().toInstance(engine);
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +<!DOCTYPE html>
 +<html>
 +  <body><a href="javascript:hello('${xss(input, "js", "uri", "html")}')"></a>
 +  </body>
 +</html>
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@`
`57`	`57`	`* If you want to learn more about nested context and why they are important have a look at this`
`58`	`58`	`* <a href=`
`59`	`59`	`* "http://security.coverity.com/document/2013/Mar/fixing-xss-a-practical-guide-for-developers.html">nice`
`60`		`- * guide</code> from`
	`60`	`+ * guide</a> from`
`61`	`61`	`* <a href="https://github.com/coverity/coverity-security-library">coverity-security-library</a>.`
`62`	`62`	`* </p>`
`63`	`63`	`*`