feffi
diff --git a/‎coverage-report/src/test/java/org/jooby/issues/Issue453.java‎
Lines changed: 61 additions & 0 deletions b/‎coverage-report/src/test/java/org/jooby/issues/Issue453.java‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎jooby/src/main/java/org/jooby/Env.java‎
Lines changed: 31 additions & 2 deletions b/‎jooby/src/main/java/org/jooby/Env.java‎
Lines changed: 31 additions & 2 deletions
diff --git a/‎jooby/src/main/java/org/jooby/Jooby.java‎
Lines changed: 18 additions & 0 deletions b/‎jooby/src/main/java/org/jooby/Jooby.java‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎jooby/src/main/java/org/jooby/Request.java‎
Lines changed: 110 additions & 1 deletion b/‎jooby/src/main/java/org/jooby/Request.java‎
Lines changed: 110 additions & 1 deletion
diff --git a/‎jooby/src/main/java/org/jooby/internal/EmptyBodyReference.java‎
Lines changed: 18 additions & 0 deletions b/‎jooby/src/main/java/org/jooby/internal/EmptyBodyReference.java‎
Lines changed: 18 additions & 0 deletions
@@ -0,0 +1,61 @@
+package org.jooby.issues;
+
+import org.jooby.test.ServerFeature;
+import org.junit.Test;
+
+public class Issue453 extends ServerFeature {
+
+  public static class Form {
+    public String text;
+  }
+
+  {
+    get("/453", req -> {
+      return req.param("text", "html").value();
+    });
+
+    get("/453/h", req -> {
+      return req.header("text", "html").value();
+    });
+
+    get("/453/escape-form", req -> {
+      return req.params(Form.class, req.param("xss").value("html")).text;
+    });
+
+    get("/453/to-escape-form", req -> {
+      return req.params(req.param("xss").value("html")).to(Form.class).text;
+    });
+
+    err((req, rsp, x) -> {
+      rsp.send(x.toMap().get("message"));
+    });
+  }
+
+  @Test
+  public void escape() throws Exception {
+    request()
+        .get("/453?text=%3Ch1%3EX%3C/h1%3E")
+        .expect("&lt;h1&gt;X&lt;/h1&gt;");
+
+    request()
+        .get("/453/h")
+        .header("text", "<h1>X</h1>")
+        .expect("&lt;h1&gt;X&lt;/h1&gt;");
+  }
+
+  @Test
+  public void escapeForm() throws Exception {
+    request()
+        .get("/453/escape-form?text=%3Ch1%3EX%3C/h1%3E")
+        .expect("&lt;h1&gt;X&lt;/h1&gt;");
+
+    request()
+        .get("/453/escape-form?text=%3Ch1%3EX%3C/h1%3E&xss=none")
+        .expect("<h1>X</h1>");
+
+    request()
+        .get("/453/to-escape-form?text=%3Ch1%3EX%3C/h1%3E")
+        .expect("&lt;h1&gt;X&lt;/h1&gt;");
+  }
+
+}
@@ -21,6 +21,7 @@
 import static com.google.common.base.Preconditions.checkArgument;
 import static java.util.Objects.requireNonNull;
 
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
@@ -29,6 +30,7 @@
 import java.util.Optional;
 import java.util.function.BiFunction;
 import java.util.function.Consumer;
+import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
 
@@ -66,7 +68,7 @@
 public interface Env extends LifeCycle {
 
   /**
-   * Utility class for generated {@link Key} for named services.
+   * Utility class for generating {@link Key} for named services.
    *
    * @author edgar
    */
@@ -139,6 +141,8 @@ default Env build(final Config config) {
 
       private ImmutableList.Builder<CheckedConsumer<Registry>> shutdown = ImmutableList.builder();
 
+      private Map<String, Function<String, String>> xss = new HashMap<>();
+
       private ServiceKey key = new ServiceKey();
 
       @Override
@@ -195,6 +199,18 @@ public Env onStart(final CheckedConsumer<Registry> task) {
       public List<CheckedConsumer<Registry>> startTasks() {
         return this.start.build();
       }
+
+      @Override
+      public Map<String, Function<String, String>> xss() {
+        return Collections.unmodifiableMap(xss);
+      }
+
+      @Override
+      public Env xss(final String name, final Function<String, String> escaper) {
+        xss.put(requireNonNull(name, "Name required."),
+            requireNonNull(escaper, "Function required."));
+        return this;
+      }
     };
   };
 
@@ -228,7 +244,6 @@ default ServiceKey serviceKey() {
     return new ServiceKey();
   }
 
-
   /**
    * Returns a string with all substitutions (the <code>${foo.bar}</code> syntax,
    * see <a href="https://github.com/typesafehub/config/blob/master/HOCON.md">the
@@ -423,6 +438,20 @@ default <T> Option<T> when(final Predicate<String> predicate, final T result) {
     return match().option(API.Case(predicate, result));
   }
 
+  /**
+   * @return XSS escape functions.
+   */
+  Map<String, Function<String, String>> xss();
+
+  /**
+   * Set/override a XSS escape function.
+   *
+   * @param name Escape's name.
+   * @param escaper Escape function.
+   * @return This environment.
+   */
+  Env xss(String name, Function<String, String> escaper);
+
   /**
    * @return List of start tasks.
    */
 
@@ -132,6 +132,9 @@
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import com.google.common.escape.Escaper;
+import com.google.common.html.HtmlEscapers;
+import com.google.common.net.UrlEscapers;
 import com.google.inject.Binder;
 import com.google.inject.Guice;
 import com.google.inject.Injector;
@@ -4060,6 +4063,9 @@ private Injector bootstrap(final Config args,
       throw new IllegalStateException("Required property 'application.secret' is missing");
     }
 
+    /** Some basic xss functions. */
+    xss(finalEnv);
+
     /** dependency injection */
     @SuppressWarnings("unchecked")
     Injector injector = Guice.createInjector(stage, binder -> {
@@ -4223,6 +4229,18 @@ private Injector bootstrap(final Config args,
     return injector;
   }
 
+  private void xss(final Env env) {
+    Escaper ufe = UrlEscapers.urlFragmentEscaper();
+    Escaper fpe = UrlEscapers.urlFormParameterEscaper();
+    Escaper pse = UrlEscapers.urlPathSegmentEscaper();
+    Escaper html = HtmlEscapers.htmlEscaper();
+
+    env.xss("urlFragment", ufe::escape)
+        .xss("formParam", fpe::escape)
+        .xss("pathSegment", pse::escape)
+        .xss("html", html::escape);
+  }
+
   private static Provider<Session.Definition> session(final Config $session,
       final Session.Definition session) {
     return () -> {
 
@@ -33,6 +33,7 @@
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.net.UrlEscapers;
 import com.google.inject.Key;
 import com.google.inject.TypeLiteral;
 
@@ -69,6 +70,11 @@ public String path() {
       return req.path();
     }
 
+    @Override
+    public String path(final boolean escape) {
+      return req.path(escape);
+    }
+
     @Override
     public boolean matches(final String pattern) {
       return req.matches(pattern);
@@ -134,16 +140,31 @@ public Mutant params() {
       return req.params();
     }
 
+    @Override
+    public Mutant params(final String... xss) {
+      return req.params(xss);
+    }
+
     @Override
     public <T> T params(final Class<T> type) {
       return req.params(type);
     }
 
+    @Override
+    public <T> T params(final Class<T> type, final String... xss) {
+      return req.params(type, xss);
+    }
+
     @Override
     public Mutant param(final String name) {
       return req.param(name);
     }
 
+    @Override
+    public Mutant param(final String name, final String... xss) {
+      return req.param(name, xss);
+    }
+
     @Override
     public Upload file(final String name) {
       return req.file(name);
@@ -159,6 +180,11 @@ public Mutant header(final String name) {
       return req.header(name);
     }
 
+    @Override
+    public Mutant header(final String name, final String... xss) {
+      return req.header(name, xss);
+    }
+
     @Override
     public Map<String, Mutant> headers() {
       return req.headers();
@@ -389,7 +415,23 @@ public static Request unwrap(final Request req) {
    * @return The request URL pathname.
    */
   default String path() {
-    return route().path();
+    return path(false);
+  }
+
+  /**
+   * Escape the path using {@link UrlEscapers#urlFragmentEscaper()}.
+   *
+   * Given:
+   *
+   * <pre>{@code
+   *  http://domain.com/404<h1>X</h1> {@literal ->} /404%3Ch1%3EX%3C/h1%3E
+   * }</pre>
+   *
+   * @return The request URL pathname.
+   */
+  default String path(final boolean escape) {
+    String path = route().path();
+    return escape ? UrlEscapers.urlFragmentEscaper().escape(path) : path;
   }
 
   /**
@@ -573,6 +615,22 @@ default Optional<MediaType> accepts(final MediaType... types) {
    */
   Mutant params();
 
+  /**
+   * Get all the available parameters. A HTTP parameter can be provided in any of
+   * these forms:
+   *
+   * <ul>
+   * <li>Path parameter, like: <code>/path/:name</code> or <code>/path/{name}</code></li>
+   * <li>Query parameter, like: <code>?name=jooby</code></li>
+   * <li>Body parameter when <code>Content-Type</code> is
+   * <code>application/x-www-form-urlencoded</code> or <code>multipart/form-data</code></li>
+   * </ul>
+   *
+   * @param xss Xss filter to apply.
+   * @return All the parameters.
+   */
+  Mutant params(String... xss);
+
   /**
    * Short version of <code>params().to(type)</code>.
    *
@@ -584,6 +642,18 @@ default <T> T params(final Class<T> type) {
     return params().to(type);
   }
 
+  /**
+   * Short version of <code>params(xss).to(type)</code>.
+   *
+   * @param type Object type.
+   * @param xss Xss filter to apply.
+   * @param <T> Value type.
+   * @return Instance of object.
+   */
+  default <T> T params(final Class<T> type, final String... xss) {
+    return params(xss).to(type);
+  }
+
   /**
    * Get a HTTP request parameter under the given name. A HTTP parameter can be provided in any of
    * these forms:
@@ -613,6 +683,36 @@ default <T> T params(final Class<T> type) {
    */
   Mutant param(String name);
 
+  /**
+   * Get a HTTP request parameter under the given name. A HTTP parameter can be provided in any of
+   * these forms:
+   * <ul>
+   * <li>Path parameter, like: <code>/path/:name</code> or <code>/path/{name}</code></li>
+   * <li>Query parameter, like: <code>?name=jooby</code></li>
+   * <li>Body parameter when <code>Content-Type</code> is
+   * <code>application/x-www-form-urlencoded</code> or <code>multipart/form-data</code></li>
+   * </ul>
+   *
+   * The order of precedence is: <code>path</code>, <code>query</code> and <code>body</code>. For
+   * example a pattern like: <code>GET /path/:name</code> for <code>/path/jooby?name=rocks</code>
+   * produces:
+   *
+   * <pre>
+   *  assertEquals("jooby", req.param(name).value());
+   *
+   *  assertEquals("jooby", req.param(name).toList().get(0));
+   *  assertEquals("rocks", req.param(name).toList().get(1));
+   * </pre>
+   *
+   * Uploads can be retrieved too when <code>Content-Type</code> is <code>multipart/form-data</code>
+   * see {@link Upload} for more information.
+   *
+   * @param name A parameter's name.
+   * @param xss Xss filter to apply.
+   * @return A HTTP request parameter.
+   */
+  Mutant param(String name, String... xss);
+
   /**
    * Get a file {@link Upload} with the given name. The request must be a POST with
    * <code>multipart/form-data</code> content-type.
@@ -643,6 +743,15 @@ default List<Upload> files(final String name) {
    */
   Mutant header(String name);
 
+  /**
+   * Get a HTTP header and apply the XSS escapers.
+   *
+   * @param name A header's name.
+   * @param xss Xss escapers.
+   * @return A HTTP request header.
+   */
+  Mutant header(final String name, final String... xss);
+
   /**
    * @return All the headers.
    */
 
@@ -1,3 +1,21 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
 package org.jooby.internal;
 
 import java.io.IOException;