Object handlers should not give access to Object.class methods and fields

Sam Pullara · Sam Pullara · commit 4b9296fc4fff · 2011-11-20T15:44:42.000-08:00
diff --git a/builder/src/test/java/com/sampullara/mustache/InterpreterTest.java b/builder/src/test/java/com/sampullara/mustache/InterpreterTest.java
@@ -58,6 +58,25 @@ int taxed_value() {
     assertEquals(getContents(root, "simple.txt"), sw.toString());
   }
 
+  public void testSecurity() throws MustacheException, IOException, ExecutionException, InterruptedException {
+    MustacheBuilder c = new MustacheBuilder(root);
+    Mustache m = c.parseFile("security.html");
+    StringWriter sw = new StringWriter();
+    FutureWriter writer = new FutureWriter(sw);
+    m.execute(writer, new Scope(new Object() {
+      String name = "Chris";
+      int value = 10000;
+
+      int taxed_value() {
+        return (int) (this.value - (this.value * 0.4));
+      }
+
+      boolean in_ca = true;
+    }));
+    writer.flush();
+    assertEquals(getContents(root, "security.txt"), sw.toString());
+  }
+
   public void testXSS() throws MustacheException, IOException, ExecutionException, InterruptedException {
     MustacheBuilder c = new MustacheBuilder(root);
     Mustache m = c.parseFile("xss.html");
diff --git a/src/test/resources/security.html b/src/test/resources/security.html
@@ -0,0 +1 @@
+{{class.name}}{{getClass.getName}}
diff --git a/src/test/resources/security.txt b/src/test/resources/security.txt
