Queue browse improvements in webconsole (apache#1938) (apache#1942)

cshannon · web-flow · commit 0982ba45a14b · 2026-04-17T10:03:26.000-04:00
This change makes sure we always use the correct content type for the output based on the configured view and also escape xml content when displaying. (cherry picked from commit a240dba)
diff --git a/activemq-web/pom.xml b/activemq-web/pom.xml
@@ -87,6 +87,13 @@
       <artifactId>websocket-jetty-server</artifactId>
     </dependency>
 
+    <!-- Just used for testing -->
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+      <scope>test</scope>
+    </dependency>
+
     <!-- Rome RSS Reader -->
     <dependency>
       <groupId>com.rometools</groupId>
diff --git a/activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java b/activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.web.util;
+
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+
+public class ViewUtils {
+
+    public static final String AMP = "&";
+    public static final String QUOTE = "\"";
+    public static final String LT = "<";
+    public static final String GT = ">";
+    public static final String APOS = "'";
+
+    public static final String XML_ESCAPED_AMP = "&amp;";
+    public static final String XML_ESCAPED_QUOTE = "&quot;";
+    public static final String XML_ESCAPED_LT = "&lt;";
+    public static final String XML_ESCAPED_GT = "&gt;";
+    public static final String XML_ESCAPED_APOS = "&apos;";
+
+    public static final Map<String, String> XML_ESCAPE_MAPPINGS;
+
+    static {
+        // order matters for processing so use a linked map
+        Map<String,String> mappings = new LinkedHashMap<>();
+        mappings.put(AMP, XML_ESCAPED_AMP);
+        mappings.put(LT, XML_ESCAPED_LT);
+        mappings.put(GT, XML_ESCAPED_GT);
+        mappings.put(QUOTE, XML_ESCAPED_QUOTE);
+        mappings.put(APOS, XML_ESCAPED_APOS);
+
+        XML_ESCAPE_MAPPINGS = Collections.unmodifiableMap(mappings);
+    }
+
+
+    public static String escapeXml(String input) {
+        if (input == null) {
+            return null;
+        }
+
+        String escaped = input;
+        for (Entry<String, String> entry : XML_ESCAPE_MAPPINGS.entrySet()) {
+            escaped = escaped.replace(entry.getKey(), entry.getValue());
+        }
+
+        return escaped;
+    }
+
+}
diff --git a/activemq-web/src/main/java/org/apache/activemq/web/view/RssMessageRenderer.java b/activemq-web/src/main/java/org/apache/activemq/web/view/RssMessageRenderer.java
@@ -49,7 +49,7 @@ public class RssMessageRenderer extends SimpleMessageRenderer {
     private String feedType = "rss_2.0";
     private SyndFeed feed;
     private String description = "This feed is auto-generated by Apache ActiveMQ";
-    private String entryContentType = "text/plain";
+    private static final String ENTRY_CONTENT_TYPE = "text/plain";
 
     public void renderMessage(PrintWriter writer, HttpServletRequest request, HttpServletResponse response, QueueBrowser browser, Message message) throws JMSException {
         SyndFeed feed = getFeed(browser, request);
@@ -79,11 +79,7 @@ public void setFeedType(String feedType) {
     }
 
     public String getEntryContentType() {
-        return entryContentType;
-    }
-
-    public void setEntryContentType(String entryContentType) {
-        this.entryContentType = entryContentType;
+        return ENTRY_CONTENT_TYPE;
     }
 
     // Implementation methods
@@ -122,7 +118,7 @@ protected SyndEntry createEntry(QueueBrowser browser, Message message, HttpServl
 
     protected SyndContent createEntryContent(QueueBrowser browser, Message message, HttpServletRequest request) throws JMSException {
         SyndContent description = new SyndContentImpl();
-        description.setType(entryContentType);
+        description.setType(getEntryContentType());
 
         if (message instanceof TextMessage) {
             String text = ((TextMessage)message).getText();
diff --git a/activemq-web/src/main/java/org/apache/activemq/web/view/SimpleMessageRenderer.java b/activemq-web/src/main/java/org/apache/activemq/web/view/SimpleMessageRenderer.java
@@ -26,6 +26,7 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.apache.activemq.web.util.ViewUtils;
 
 /**
  * A simple rendering of the contents of a queue appear as a list of message
@@ -35,11 +36,12 @@
  */
 public class SimpleMessageRenderer implements MessageRenderer {
 
-    private String contentType = "text/xml";
+    protected static final String DEFAULT_CONTENT_TYPE = "text/xml";
+
     private int maxMessages;
 
     public void renderMessages(HttpServletRequest request, HttpServletResponse response, QueueBrowser browser) throws IOException, JMSException, ServletException {
-        // lets use XML by default
+        // XML is used by default unless a child class overrides this method
         response.setContentType(getContentType());
         PrintWriter writer = response.getWriter();
         printHeader(writer, browser, request);
@@ -53,10 +55,10 @@ public void renderMessages(HttpServletRequest request, HttpServletResponse respo
         printFooter(writer, browser, request);
     }
 
-    public void renderMessage(PrintWriter writer, HttpServletRequest request, HttpServletResponse response, QueueBrowser browser, Message message) throws JMSException, ServletException {
+    public void renderMessage(PrintWriter writer, HttpServletRequest request, HttpServletResponse response, QueueBrowser browser, Message message) throws JMSException {
         // lets just write the message IDs for now
         writer.print("<message id='");
-        writer.print(message.getJMSMessageID());
+        writer.print(ViewUtils.escapeXml(message.getJMSMessageID()));
         writer.println("'/>");
     }
 
@@ -71,25 +73,21 @@ public void setMaxMessages(int maxMessages) {
     }
 
     public String getContentType() {
-        return contentType;
-    }
-
-    public void setContentType(String contentType) {
-        this.contentType = contentType;
+        return DEFAULT_CONTENT_TYPE;
     }
 
     // Implementation methods
     // -------------------------------------------------------------------------
 
-    protected void printHeader(PrintWriter writer, QueueBrowser browser, HttpServletRequest request) throws IOException, JMSException, ServletException {
+    protected void printHeader(PrintWriter writer, QueueBrowser browser, HttpServletRequest request) throws IOException, JMSException {
         writer.println("");
         writer.print("<messages queue='");
-        writer.print(browser.getQueue());
+        writer.print(ViewUtils.escapeXml(String.valueOf(browser.getQueue())));
         writer.print("'");
         String selector = browser.getMessageSelector();
         if (selector != null) {
             writer.print(" selector='");
-            writer.print(selector);
+            writer.print(ViewUtils.escapeXml(selector));
             writer.print("'");
         }
         writer.println(">");
diff --git a/activemq-web/src/test/java/org/apache/activemq/web/util/ViewUtilsTest.java b/activemq-web/src/test/java/org/apache/activemq/web/util/ViewUtilsTest.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.web.util;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import org.apache.commons.text.StringEscapeUtils;
+import org.junit.Test;
+
+public class ViewUtilsTest {
+
+    @Test
+    public void testXmlEscape() throws IOException {
+        final String original = Files.readString(Path.of("src/test/resources/activemq.xml"));
+        final String escaped = ViewUtils.escapeXml(original);
+
+        // Verify that our escape method matches StringEscapeUtils
+        assertEquals(StringEscapeUtils.escapeXml11(original), ViewUtils.escapeXml(original));
+        // Verify if we unescape we get back the original
+        assertEquals(original, StringEscapeUtils.unescapeXml(escaped));
+    }
+}
diff --git a/activemq-web/src/test/resources/activemq.xml b/activemq-web/src/test/resources/activemq.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<!-- START SNIPPET: xbean -->
+<beans
+    xmlns="http://www.springframework.org/schema/beans"
+    xmlns:amq="http://activemq.apache.org/schema/core"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+
+  <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+  <broker useJmx="false"  xmlns="http://activemq.apache.org/schema/core" persistent="false">
+
+    <transportConnectors>
+      <transportConnector uri="nio://localhost:61616?wireFormat.maxFrameSize=1048576" />
+    </transportConnectors>
+
+  </broker>
+
+</beans>
+    <!-- END SNIPPET: xbean -->
diff --git a/pom.xml b/pom.xml
@@ -51,6 +51,7 @@
     <commons-io-version>2.21.0</commons-io-version>
     <commons-logging-version>1.3.5</commons-logging-version>
     <commons-pool2-version>2.13.1</commons-pool2-version>
+    <commons-text-version>1.15.0</commons-text-version>
     <directory-version>2.0.0.AM25</directory-version>
     <ecj.version>3.44.0</ecj.version>
     <ftpserver-version>1.1.1</ftpserver-version>
@@ -911,6 +912,12 @@
         <version>${commons-io-version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-text</artifactId>
+        <version>${commons-text-version}</version>
+      </dependency>
+
       <!-- ACTIVEMQ-WEB Specific Dependencies -->
       <dependency>
         <groupId>com.rometools</groupId>
