From bd0acaaceffd76e8706e75e107c3859ef6f9f0c6 Mon Sep 17 00:00:00 2001
From: "Christopher L. Shannon" <cshannon@apache.org>
Date: Wed, 15 Apr 2026 20:30:31 -0400
Subject: [PATCH 1/2] Queue browse improvements in webconsole

This change makes sure we always use the correct content type for the
output based on the configured view and also escape xml content when
displaying.
---
 activemq-web/pom.xml                          |  7 ++
 .../apache/activemq/web/util/ViewUtils.java   | 67 +++++++++++++++++++
 .../activemq/web/view/RssMessageRenderer.java | 10 +--
 .../web/view/SimpleMessageRenderer.java       | 22 +++---
 .../activemq/web/util/ViewUtilsTest.java      | 39 +++++++++++
 activemq-web/src/test/resources/activemq.xml  | 37 ++++++++++
 pom.xml                                       |  7 ++
 7 files changed, 170 insertions(+), 19 deletions(-)
 create mode 100644 activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java
 create mode 100644 activemq-web/src/test/java/org/apache/activemq/web/util/ViewUtilsTest.java
 create mode 100644 activemq-web/src/test/resources/activemq.xml

diff --git a/activemq-web/pom.xml b/activemq-web/pom.xml
index 6c1f85d28a8..11f556b220f 100644
--- a/activemq-web/pom.xml
+++ b/activemq-web/pom.xml
@@ -87,6 +87,13 @@
       <artifactId>websocket-jetty-server</artifactId>
     </dependency>
 
+    <!-- Just used for testing -->
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+      <scope>test</scope>
+    </dependency>
+
     <!-- Rome RSS Reader -->
     <dependency>
       <groupId>com.rometools</groupId>
diff --git a/activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java b/activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java
new file mode 100644
index 00000000000..f02672cd386
--- /dev/null
+++ b/activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.web.util;
+
+import com.rometools.rome.feed.atom.Link;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+
+public class ViewUtils {
+
+    public static final String AMP = "&";
+    public static final String QUOTE = "\"";
+    public static final String LT = "<";
+    public static final String GT = ">";
+    public static final String APOS = "'";
+
+    public static final String XML_ESCAPED_AMP = "&amp;";
+    public static final String XML_ESCAPED_QUOTE = "&quot;";
+    public static final String XML_ESCAPED_LT = "&lt;";
+    public static final String XMl_ESCAPED_GT = "&gt;";
+    public static final String XML_ESCAPED_APOS = "&apos;";
+
+    public static final Map<String, String> XML_ESCAPE_MAPPINGS;
+
+    static {
+        // order matters for processing so use a linked map
+        Map<String,String> mappings = new LinkedHashMap<>();
+        mappings.put(AMP, XML_ESCAPED_AMP);
+        mappings.put(LT, XML_ESCAPED_LT);
+        mappings.put(GT, XMl_ESCAPED_GT);
+        mappings.put(QUOTE, XML_ESCAPED_QUOTE);
+        mappings.put(APOS, XML_ESCAPED_APOS);
+
+        XML_ESCAPE_MAPPINGS = Collections.unmodifiableMap(mappings);
+    }
+
+
+    public static String escapeXml(String input) {
+        if (input == null) {
+            return null;
+        }
+
+        String escaped = input;
+        for (Entry<String, String> entry : XML_ESCAPE_MAPPINGS.entrySet()) {
+            escaped = escaped.replace(entry.getKey(), entry.getValue());
+        }
+
+        return escaped;
+    }
+
+}
diff --git a/activemq-web/src/main/java/org/apache/activemq/web/view/RssMessageRenderer.java b/activemq-web/src/main/java/org/apache/activemq/web/view/RssMessageRenderer.java
index 088a4c1926b..f05d0467833 100644
--- a/activemq-web/src/main/java/org/apache/activemq/web/view/RssMessageRenderer.java
+++ b/activemq-web/src/main/java/org/apache/activemq/web/view/RssMessageRenderer.java
@@ -49,7 +49,7 @@ public class RssMessageRenderer extends SimpleMessageRenderer {
     private String feedType = "rss_2.0";
     private SyndFeed feed;
     private String description = "This feed is auto-generated by Apache ActiveMQ";
-    private String entryContentType = "text/plain";
+    private static final String ENTRY_CONTENT_TYPE = "text/plain";
 
     public void renderMessage(PrintWriter writer, HttpServletRequest request, HttpServletResponse response, QueueBrowser browser, Message message) throws JMSException {
         SyndFeed feed = getFeed(browser, request);
@@ -79,11 +79,7 @@ public void setFeedType(String feedType) {
     }
 
     public String getEntryContentType() {
-        return entryContentType;
-    }
-
-    public void setEntryContentType(String entryContentType) {
-        this.entryContentType = entryContentType;
+        return ENTRY_CONTENT_TYPE;
     }
 
     // Implementation methods
@@ -122,7 +118,7 @@ protected SyndEntry createEntry(QueueBrowser browser, Message message, HttpServl
 
     protected SyndContent createEntryContent(QueueBrowser browser, Message message, HttpServletRequest request) throws JMSException {
         SyndContent description = new SyndContentImpl();
-        description.setType(entryContentType);
+        description.setType(getEntryContentType());
 
         if (message instanceof TextMessage) {
             String text = ((TextMessage)message).getText();
diff --git a/activemq-web/src/main/java/org/apache/activemq/web/view/SimpleMessageRenderer.java b/activemq-web/src/main/java/org/apache/activemq/web/view/SimpleMessageRenderer.java
index f8165d8849a..7c14248743b 100644
--- a/activemq-web/src/main/java/org/apache/activemq/web/view/SimpleMessageRenderer.java
+++ b/activemq-web/src/main/java/org/apache/activemq/web/view/SimpleMessageRenderer.java
@@ -26,6 +26,7 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.apache.activemq.web.util.ViewUtils;
 
 /**
  * A simple rendering of the contents of a queue appear as a list of message
@@ -35,11 +36,12 @@
  */
 public class SimpleMessageRenderer implements MessageRenderer {
 
-    private String contentType = "text/xml";
+    protected static final String DEFAULT_CONTENT_TYPE = "text/xml";
+
     private int maxMessages;
 
     public void renderMessages(HttpServletRequest request, HttpServletResponse response, QueueBrowser browser) throws IOException, JMSException, ServletException {
-        // lets use XML by default
+        // XML is used by default unless a child class overrides this method
         response.setContentType(getContentType());
         PrintWriter writer = response.getWriter();
         printHeader(writer, browser, request);
@@ -53,10 +55,10 @@ public void renderMessages(HttpServletRequest request, HttpServletResponse respo
         printFooter(writer, browser, request);
     }
 
-    public void renderMessage(PrintWriter writer, HttpServletRequest request, HttpServletResponse response, QueueBrowser browser, Message message) throws JMSException, ServletException {
+    public void renderMessage(PrintWriter writer, HttpServletRequest request, HttpServletResponse response, QueueBrowser browser, Message message) throws JMSException {
         // lets just write the message IDs for now
         writer.print("<message id='");
-        writer.print(message.getJMSMessageID());
+        writer.print(ViewUtils.escapeXml(message.getJMSMessageID()));
         writer.println("'/>");
     }
 
@@ -71,25 +73,21 @@ public void setMaxMessages(int maxMessages) {
     }
 
     public String getContentType() {
-        return contentType;
-    }
-
-    public void setContentType(String contentType) {
-        this.contentType = contentType;
+        return DEFAULT_CONTENT_TYPE;
     }
 
     // Implementation methods
     // -------------------------------------------------------------------------
 
-    protected void printHeader(PrintWriter writer, QueueBrowser browser, HttpServletRequest request) throws IOException, JMSException, ServletException {
+    protected void printHeader(PrintWriter writer, QueueBrowser browser, HttpServletRequest request) throws IOException, JMSException {
         writer.println("");
         writer.print("<messages queue='");
-        writer.print(browser.getQueue());
+        writer.print(ViewUtils.escapeXml(String.valueOf(browser.getQueue())));
         writer.print("'");
         String selector = browser.getMessageSelector();
         if (selector != null) {
             writer.print(" selector='");
-            writer.print(selector);
+            writer.print(ViewUtils.escapeXml(selector));
             writer.print("'");
         }
         writer.println(">");
diff --git a/activemq-web/src/test/java/org/apache/activemq/web/util/ViewUtilsTest.java b/activemq-web/src/test/java/org/apache/activemq/web/util/ViewUtilsTest.java
new file mode 100644
index 00000000000..668edb2fce9
--- /dev/null
+++ b/activemq-web/src/test/java/org/apache/activemq/web/util/ViewUtilsTest.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.web.util;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import org.apache.commons.text.StringEscapeUtils;
+import org.junit.Test;
+
+public class ViewUtilsTest {
+
+    @Test
+    public void testXmlEscape() throws IOException {
+        final String original = Files.readString(Path.of("src/test/resources/activemq.xml"));
+        final String escaped = ViewUtils.escapeXml(original);
+
+        // Verify that our escape method matches StringEscapeUtils
+        assertEquals(StringEscapeUtils.escapeXml11(original), ViewUtils.escapeXml(original));
+        // Verify if we unescape we get back the original
+        assertEquals(original, StringEscapeUtils.unescapeXml(escaped));
+    }
+}
diff --git a/activemq-web/src/test/resources/activemq.xml b/activemq-web/src/test/resources/activemq.xml
new file mode 100644
index 00000000000..9affdddf3e8
--- /dev/null
+++ b/activemq-web/src/test/resources/activemq.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<!-- START SNIPPET: xbean -->
+<beans
+    xmlns="http://www.springframework.org/schema/beans"
+    xmlns:amq="http://activemq.apache.org/schema/core"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+
+  <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+  <broker useJmx="false"  xmlns="http://activemq.apache.org/schema/core" persistent="false">
+
+    <transportConnectors>
+      <transportConnector uri="nio://localhost:61616?wireFormat.maxFrameSize=1048576" />
+    </transportConnectors>
+
+  </broker>
+
+</beans>
+    <!-- END SNIPPET: xbean -->
diff --git a/pom.xml b/pom.xml
index 260f4342fa2..4e3943b0ced 100644
--- a/pom.xml
+++ b/pom.xml
@@ -60,6 +60,7 @@
     <commons-io-version>2.21.0</commons-io-version>
     <commons-logging-version>1.3.6</commons-logging-version>
     <commons-pool2-version>2.13.1</commons-pool2-version>
+    <commons-text-version>1.15.0</commons-text-version>
     <directory-version>2.0.0.AM25</directory-version>
     <ecj.version>3.45.0</ecj.version>
     <hawtbuf-version>1.11</hawtbuf-version>
@@ -901,6 +902,12 @@
         <version>${commons-io-version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-text</artifactId>
+        <version>${commons-text-version}</version>
+      </dependency>
+
       <!-- ACTIVEMQ-WEB Specific Dependencies -->
       <dependency>
         <groupId>com.rometools</groupId>

From edf7052c15c832d0d58cad3f5e83719211491665 Mon Sep 17 00:00:00 2001
From: "Christopher L. Shannon" <cshannon@apache.org>
Date: Fri, 17 Apr 2026 07:41:44 -0400
Subject: [PATCH 2/2] minor fixes

---
 .../src/main/java/org/apache/activemq/web/util/ViewUtils.java  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java b/activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java
index f02672cd386..378461f74d0 100644
--- a/activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java
+++ b/activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java
@@ -16,7 +16,6 @@
  */
 package org.apache.activemq.web.util;
 
-import com.rometools.rome.feed.atom.Link;
 import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -33,7 +32,7 @@ public class ViewUtils {
     public static final String XML_ESCAPED_AMP = "&amp;";
     public static final String XML_ESCAPED_QUOTE = "&quot;";
     public static final String XML_ESCAPED_LT = "&lt;";
-    public static final String XMl_ESCAPED_GT = "&gt;";
+    public static final String XML_ESCAPED_GT = "&gt;";
     public static final String XML_ESCAPED_APOS = "&apos;";
 
     public static final Map<String, String> XML_ESCAPE_MAPPINGS;