automatically escape JSON values, if renderend in a template for a JSON content-type; removed 'fn.' prefix from Groovy function calls

rrayst · rrayst · commit 9c9f29938f11 · 2026-02-09T21:25:03.000+01:00
diff --git a/README.md b/README.md
@@ -57,9 +57,10 @@ api:
           htpasswdPath: .htpasswd
     - request:
         - template:
+            contentType: application/json
             src: |
               {
-                "sub": ${fn.toJSON(fn.user())}
+                "sub": ${user()}
               }
         - jwtSign:
             jwk:
@@ -722,7 +723,7 @@ api:
             contentType: application/json
             src: |
               {
-                "destination": ${fn.toJSON(json.city)}
+                "destination": ${json.city}
               }
     - return:
         status: 200
@@ -756,7 +757,7 @@ api:
     - request:
         - template:
             src: |
-              Buenas noches, ${fn.xpath('/person/@firstname')}
+              Buenas noches, ${xpath('/person/@firstname')}
         - return:
             status: 200
 ```
diff --git a/core/src/main/java/com/predic8/membrane/core/interceptor/templating/TemplateInterceptor.java b/core/src/main/java/com/predic8/membrane/core/interceptor/templating/TemplateInterceptor.java
@@ -121,13 +121,17 @@ protected byte[] getContent(Exchange exchange, Flow flow) {
     }
 
     private @NotNull Map<String, Object> getVariableBinding(Exchange exc, Flow flow) {
-        return createParameterBindings(router, exc, flow, scriptAccessesJson && isJsonMessage(exc, flow));
+        return createParameterBindings(router, exc, flow, scriptAccessesJson && isJsonMessage(exc, flow), producesJSON());
     }
 
     private static boolean isJsonMessage(Exchange exc, Flow flow) {
         return exc.getMessage(flow).isJSON();
     }
 
+    private boolean producesJSON() {
+        return contentType != null && contentType.contains("json");
+    }
+
     private Template createTemplate() {
         if (src == null)
             throw new ConfigurationException("No template content provided via 'location' or inline text (%s).".formatted(getTemplateLocation()));
diff --git a/core/src/main/java/com/predic8/membrane/core/lang/AbstractScriptInterceptor.java b/core/src/main/java/com/predic8/membrane/core/lang/AbstractScriptInterceptor.java
@@ -207,7 +207,7 @@ protected void handleScriptExecutionException(Exchange exc, Exception e) {
     }
 
     private Map<String, Object> getParameterBindings(Exchange exc, Flow flow, Message msg) {
-        var binding = createParameterBindings(router, exc, flow, scriptAccessesJson && msg.isJSON());
+        var binding = createParameterBindings(router, exc, flow, scriptAccessesJson && msg.isJSON(), false);
         addOutcomeObjects(binding);
         return binding;
     }
diff --git a/core/src/main/java/com/predic8/membrane/core/lang/ScriptingUtils.java b/core/src/main/java/com/predic8/membrane/core/lang/ScriptingUtils.java
@@ -42,7 +42,7 @@ public class ScriptingUtils {
 
     private static final ObjectMapper om = new ObjectMapper();
 
-    public static Map<String, Object> createParameterBindings(Router router, Exchange exc, Flow flow, boolean includeJsonObject) {
+    public static Map<String, Object> createParameterBindings(Router router, Exchange exc, Flow flow, boolean includeJsonObject, boolean isJSON) {
 
         var msg = exc.getMessage(flow);
 
@@ -112,8 +112,15 @@ public static Map<String, Object> createParameterBindings(Router router, Exchang
 
         params.put("pathParam", new PathParametersMap(exc));
 
-        // Allow invoking functions in Groovy with ${fn.functionname()}
-        params.put("fn", new GroovyBuiltInFunctions(exc, flow, router));
+        // Allow invoking functions in Groovy with ${functionname()}
+        params.put("fn", new GroovyBuiltInFunctions(exc, flow, router, params) {
+            @Override
+            public Object escape(Object o) {
+                if (isJSON)
+                    return toJSON(o);
+                return o;
+            }
+        });
 
         return params;
     }
diff --git a/core/src/main/java/com/predic8/membrane/core/lang/groovy/GroovyBuiltInFunctions.java b/core/src/main/java/com/predic8/membrane/core/lang/groovy/GroovyBuiltInFunctions.java
@@ -19,24 +19,24 @@
 import com.predic8.membrane.core.interceptor.Interceptor.Flow;
 import com.predic8.membrane.core.lang.CommonBuiltInFunctions;
 import com.predic8.membrane.core.router.*;
-import groovy.lang.GroovyObjectSupport;
+import groovy.lang.Binding;
 
 import java.util.List;
+import java.util.Map;
 
 /**
  * Helper class for built-in functions that delegates to the implementation CommonBuiltInFunctions.
- *  Difference to SpEL:
- *  The functions are called with ${fn.functionname()} instead of ${functionname()} in the template interceptor
  */
 @SuppressWarnings("unused")
-public class GroovyBuiltInFunctions extends GroovyObjectSupport {
+public class GroovyBuiltInFunctions extends Binding {
 
     private final Exchange exchange;
     private final Flow flow;
     private final Router router;
     private XmlConfig xmlConfig;
 
-    public GroovyBuiltInFunctions(Exchange exchange, Flow flow, Router router) {
+    public GroovyBuiltInFunctions(Exchange exchange, Flow flow, Router router, Map<String, Object> params) {
+        super(params);
         this.exchange = exchange;
         this.flow = flow;
         this.router = router;
@@ -118,4 +118,13 @@ public long getDefaultSessionLifetime(String beanName) {
     public String env(String s) {
         return CommonBuiltInFunctions.env(s);
     }
+
+    /**
+     * Post-Process values before they are written to the output.
+     *
+     * This gives subclasses the option to perform escaping (e.g. JSON/XML).
+     */
+    public Object escape(Object o) {
+        return o;
+    }
 }
diff --git a/core/src/main/java/com/predic8/membrane/core/lang/groovy/GroovyExchangeExpression.java b/core/src/main/java/com/predic8/membrane/core/lang/groovy/GroovyExchangeExpression.java
@@ -47,7 +47,7 @@ public GroovyExchangeExpression(String source, Router router) {
     public <T> T evaluate(Exchange exchange, Interceptor.Flow flow, Class<T> type) {
         Object o = null;
         try {
-            o = script.apply(createParameterBindings(router, exchange, flow, false));
+            o = script.apply(createParameterBindings(router, exchange, flow, false, false));
         } catch (MissingPropertyException mpe) {
             log.info("Expression {} tries to access non existing property {}",expression,mpe.getMessage());
             if (type.getName().equals(Object.class.getName())) {
diff --git a/core/src/main/java/com/predic8/membrane/core/lang/groovy/adapted/StreamingTemplateEngine.java b/core/src/main/java/com/predic8/membrane/core/lang/groovy/adapted/StreamingTemplateEngine.java
@@ -55,7 +55,7 @@
  * methods.
  *
  * We therefore decided to copy the code of the inner class here (see first commit) and then made
- * some adjustments (the following commits).
+ * some adjustments (the following commits, see "adjustment" comments).
  */
 public class StreamingTemplateEngine extends groovy.text.StreamingTemplateEngine {
     @Override
@@ -86,7 +86,11 @@ private static class StreamingTemplate implements Template {
                 +   "return { _p, _s, _b, out -> "
                 +     "int _i = 0;"
                 +     "try {"
-                +       "delegate = new Binding(_b);";
+                // adjustment: using the GroovyBuiltInFunctions binding implementation
+                // provided from the outside (via the 'fn' map entry) allows the script
+                // to directly call Membrane functions. This enables templating syntax like
+                // ${xpath('/root/element')} .
+                +       "delegate = _b.get('fn');";
 
         /**
          * The 'footer' we use for the resulting groovy script source
@@ -514,7 +518,7 @@ private int parseDollarIdentifier(int c,
                                           final StringBuilder target,
                                           final Position sourcePosition,
                                           final Position targetPosition) throws IOException, FinishedReadingException {
-            append(target, targetPosition, "out<<");
+            append(target, targetPosition, "out<<escape("); // adjustment: escape the output
             append(target, targetPosition, (char) c);
 
             while (true) {
@@ -525,7 +529,7 @@ private int parseDollarIdentifier(int c,
                 append(target, targetPosition, (char) c);
             }
 
-            append(target, targetPosition, ";");
+            append(target, targetPosition, ");");
 
             return c;
         }
@@ -562,10 +566,13 @@ private void parseDollarCurlyIdentifier(final Reader reader,
                                                 final StringBuilder target,
                                                 final Position sourcePosition,
                                                 final Position targetPosition) throws IOException, FinishedReadingException {
-            append(target, targetPosition, "out<<\"\"\"${");
+            append(target, targetPosition, "out<<\"\"\"${escape("); // adjustment: escape the output
 
             while (true) {
                 int c = read(reader, sourcePosition);
+                // adjustment: escape the output
+                if (c == '}')
+                    append(target, targetPosition, ')');
                 append(target, targetPosition, (char) c);
                 if (c == '}') break;
             }
@@ -612,11 +619,11 @@ private void parseExpression(final Reader reader,
                                      final StringBuilder target,
                                      final Position sourcePosition,
                                      final Position targetPosition) throws IOException, FinishedReadingException {
-            append(target, targetPosition, "out<<\"\"\"${");
+            append(target, targetPosition, "out<<\"\"\"${escape("); // adjustment: escape the output
 
             readAndAppend(reader, target, sourcePosition, targetPosition);
 
-            append(target, targetPosition, "}\"\"\";");
+            append(target, targetPosition, ")}\"\"\";");
         }
 
         @Override
diff --git a/core/src/test/java/com/predic8/membrane/core/interceptor/templating/GroovyTemplateEscapingTest.java b/core/src/test/java/com/predic8/membrane/core/interceptor/templating/GroovyTemplateEscapingTest.java
@@ -0,0 +1,49 @@
+package com.predic8.membrane.core.interceptor.templating;
+
+import com.predic8.membrane.core.exchange.Exchange;
+import com.predic8.membrane.core.http.Request;
+import com.predic8.membrane.core.lang.groovy.adapted.StreamingTemplateEngine;
+import com.predic8.membrane.core.router.TestRouter;
+import groovy.text.Template;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.io.StringReader;
+import java.net.URISyntaxException;
+
+import static com.predic8.membrane.core.interceptor.Interceptor.Flow.REQUEST;
+import static com.predic8.membrane.core.lang.ScriptingUtils.createParameterBindings;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class GroovyTemplateEscapingTest {
+    private TestRouter r;
+    private Exchange e;
+
+    @BeforeEach
+    public void setUp() throws URISyntaxException {
+        r = new TestRouter();
+        e = Request.get("http://localhost/foo").buildExchange();
+    }
+
+    @Test
+    public void noJSON() throws IOException, ClassNotFoundException, URISyntaxException {
+        Template t = new StreamingTemplateEngine().createTemplate(new StringReader(
+                "${flow} $flow <%= flow %> ${hasScope('foo')}"));
+
+        assertEquals("REQUEST REQUEST REQUEST false",
+                t.make(createParameterBindings(r, e, REQUEST, false, false))
+                        .toString());
+    }
+
+    @Test
+    public void JSON() throws IOException, ClassNotFoundException, URISyntaxException {
+        Template t = new StreamingTemplateEngine().createTemplate(new StringReader(
+                "${flow} $flow <%= flow %> ${hasScope('foo')}"));
+
+        assertEquals("\"REQUEST\" \"REQUEST\" \"REQUEST\" false",
+                t.make(createParameterBindings(r, e, REQUEST, false, true))
+                        .toString());
+    }
+
+}
diff --git a/core/src/test/java/com/predic8/membrane/core/interceptor/templating/TemplateInterceptorTest.java b/core/src/test/java/com/predic8/membrane/core/interceptor/templating/TemplateInterceptorTest.java
@@ -248,7 +248,7 @@ void builtInFunctions() {
         exc.setProperty(SECURITY_SCHEMES, List.of(new BasicHttpSecurityScheme().username("alice")));
         ti.setContentType(APPLICATION_JSON);
         ti.setSrc("""
-        { "foo": "${fn.user()}" }
+        { "foo": ${user()} }
         """);
         ti.init(router);
         ti.handleRequest(exc);
diff --git a/core/src/test/java/com/predic8/membrane/core/lang/groovy/GroovyBuiltInFunctionsTest.java b/core/src/test/java/com/predic8/membrane/core/lang/groovy/GroovyBuiltInFunctionsTest.java
@@ -34,7 +34,7 @@ class GroovyBuiltInFunctionsTest {
 
     @BeforeEach
     void setUp() throws URISyntaxException {
-        functions = new GroovyBuiltInFunctions(post("/foo").xml("<person name='Fritz'/>").buildExchange(), REQUEST, new DummyTestRouter());
+        functions = new GroovyBuiltInFunctions(post("/foo").xml("<person name='Fritz'/>").buildExchange(), REQUEST, new DummyTestRouter(), new HashMap<>());
     }
 
     @Test
diff --git a/distribution/examples/extending-membrane/if/README.md b/distribution/examples/extending-membrane/if/README.md
@@ -51,7 +51,7 @@ A common use case of the `if` plugin is the manipulation of responses based on t
             <template pretty="yes" contentType="application/json">
                 {
                   "type": "https://membrane-api.io/error/",
-                  "title": ${fn.toJSON(exc.response.statusMessage)}
+                  "title": ${exc.response.statusMessage}
                 }
             </template>
         </if>
diff --git a/distribution/examples/extending-membrane/if/apis.yaml b/distribution/examples/extending-membrane/if/apis.yaml
@@ -55,7 +55,7 @@ api:
                   src: |
                     {
                       "type": "https://membrane-api.io/error/",
-                      "title": ${fn.toJSON(exc.response.statusMessage)},
+                      "title": ${exc.response.statusMessage},
                       "status": ${exc.response.statusCode}
                     }
         - if:
diff --git a/distribution/examples/extending-membrane/if/proxies.xml b/distribution/examples/extending-membrane/if/proxies.xml
@@ -38,7 +38,7 @@
                     <template pretty="yes" contentType="application/json">
                         {
                         "type": "https://membrane-api.io/error/",
-                        "title": ${fn.toJSON(exc.response.statusMessage)},
+                        "title": ${exc.response.statusMessage},
                         "status": ${exc.response.statusCode}
                         }
                     </template>
diff --git a/distribution/examples/orchestration/call-post/apis.yaml b/distribution/examples/orchestration/call-post/apis.yaml
@@ -18,7 +18,7 @@ api:
             contentType: application/json
             src: |
               {
-                "name": ${fn.toJSON(property.name + ' Big Pack')},
+                "name": ${property.name + ' Big Pack'},
                 "price": ${property.price}
               }
         - call:
diff --git a/distribution/examples/orchestration/call-post/proxies.xml b/distribution/examples/orchestration/call-post/proxies.xml
@@ -15,7 +15,7 @@
                 <!-- Creates a new JSON body with the name and modified price -->
                 <template contentType="application/json">
                     {
-                    "name": ${fn.toJSON(property.name + ' Big Pack')},
+                    "name": ${property.name + ' Big Pack'},
                     "price": ${property.price}
                     }
                 </template>
diff --git a/distribution/examples/orchestration/for-loop/apis.yaml b/distribution/examples/orchestration/for-loop/apis.yaml
@@ -19,7 +19,7 @@ api:
                     property.result = property.result ?: []
                     property.result.add(
                       [ "name": property.it.name,
-                        "price": fn.jsonPath('$.price')
+                        "price": jsonPath('$.price')
                       ])
         # Render a simplified JSON response with only product name and price
         - template:
@@ -30,7 +30,7 @@ api:
                   "products": [
                     <% property.result.eachWithIndex { p, idx -> %>
                       {
-                          "name": ${fn.toJSON(p.name)},
+                          "name": ${p.name},
                           "price": ${p.price}
                       }${idx < property.result.size() - 1 ? ',' : ''}
                     <% } %>
diff --git a/distribution/examples/orchestration/for-loop/proxies.xml b/distribution/examples/orchestration/for-loop/proxies.xml
@@ -32,8 +32,8 @@
                             "products": [
 							    <% property.products.eachWithIndex { p, idx -> %>
                                 {
-                                    "name": "<%= p.name %>",
-                                    "price": "<%= p.price %>"
+                                    "name": <%= p.name %>,
+                                    "price": <%= p.price %>
                                 }<%= idx < property.products.size() - 1 ? ',' : '' %>
                                 <% } %>
 							]
diff --git a/distribution/examples/security/api-key/rbac/apis.yaml b/distribution/examples/security/api-key/rbac/apis.yaml
@@ -27,7 +27,7 @@ api:
             - template:
                 src: |
                   Only for admins!
-                  Caller scopes: ${fn.scopes()}
+                  Caller scopes: ${scopes()}
             - return:
                 status: 200
       - if:
@@ -37,7 +37,7 @@ api:
             - template:
                 src: |
                   Only for finance or accounting!
-                  Caller scopes: ${fn.scopes()}
+                  Caller scopes: ${scopes()}
             - return:
                 status: 200
       - template:
diff --git a/distribution/examples/security/jwt/apikey-to-jwt-conversion/README.md b/distribution/examples/security/jwt/apikey-to-jwt-conversion/README.md
@@ -33,12 +33,11 @@ The resulting JWT is stored in the body and returned via `<return>`.
   <headerExtractor />
  </apiKey>
  <request>
-  <setProperty name="scopes" value="${scopes()}"/>
   <template>
    {
      "sub": "user@example.com", 
      "aud": "order", 
-     "scope": ${fn.toJSON(property.scopes)}
+     "scope": ${scopes()}
    }
   </template>
   <jwtSign>
diff --git a/distribution/examples/security/jwt/apikey-to-jwt-conversion/apis.yaml b/distribution/examples/security/jwt/apikey-to-jwt-conversion/apis.yaml
@@ -12,15 +12,13 @@ api:
         extractors:
           - headerExtractor: {}
     - request:
-        - setProperty:
-            name: scopes
-            value: ${scopes()}
         - template:
+            contentType: application/json
             src: |
               {
                 "sub": "user@example.com",
                 "aud": "order",
-                "scope": ${fn.toJSON(property.scopes)}
+                "scope": ${scopes()}
               }
         - jwtSign:
             jwk:
diff --git a/distribution/examples/security/jwt/apikey-to-jwt-conversion/proxies.xml b/distribution/examples/security/jwt/apikey-to-jwt-conversion/proxies.xml
diff --git a/distribution/examples/templating/json/apis.yaml b/distribution/examples/templating/json/apis.yaml
diff --git a/distribution/examples/templating/json/proxies.xml b/distribution/examples/templating/json/proxies.xml
diff --git a/distribution/examples/web-services-soap/rest2soap-template/apis.yaml b/distribution/examples/web-services-soap/rest2soap-template/apis.yaml
diff --git a/distribution/examples/web-services-soap/rest2soap-template/proxies.xml b/distribution/examples/web-services-soap/rest2soap-template/proxies.xml
diff --git a/distribution/tutorials/orchestration/30-Orchestration.yaml b/distribution/tutorials/orchestration/30-Orchestration.yaml
diff --git a/distribution/tutorials/orchestration/50-Loop-get-Details.yaml b/distribution/tutorials/orchestration/50-Loop-get-Details.yaml
diff --git a/distribution/tutorials/transformation/50-JSON-Array-to-SOAP.yaml b/distribution/tutorials/transformation/50-JSON-Array-to-SOAP.yaml
diff --git a/distribution/tutorials/transformation/60-SOAP-Array-to-JSON.yaml b/distribution/tutorials/transformation/60-SOAP-Array-to-JSON.yaml

Original file line number	Diff line number	Diff line change
`@@ -121,13 +121,17 @@ protected byte[] getContent(Exchange exchange, Flow flow) {`
`121`	`121`	`}`
`122`	`122`
`123`	`123`	`private @NotNull Map<String, Object> getVariableBinding(Exchange exc, Flow flow) {`
`124`		`- return createParameterBindings(router, exc, flow, scriptAccessesJson && isJsonMessage(exc, flow));`
	`124`	`+ return createParameterBindings(router, exc, flow, scriptAccessesJson && isJsonMessage(exc, flow), producesJSON());`
`125`	`125`	`}`
`126`	`126`
`127`	`127`	`private static boolean isJsonMessage(Exchange exc, Flow flow) {`
`128`	`128`	`return exc.getMessage(flow).isJSON();`
`129`	`129`	`}`
`130`	`130`
	`131`	`+ private boolean producesJSON() {`
	`132`	`+ return contentType != null && contentType.contains("json");`
	`133`	`+ }`
	`134`	`+`
`131`	`135`	`private Template createTemplate() {`
`132`	`136`	`if (src == null)`
`133`	`137`	`throw new ConfigurationException("No template content provided via 'location' or inline text (%s).".formatted(getTemplateLocation()));`
Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,7 @@ protected void handleScriptExecutionException(Exchange exc, Exception e) {`
`207`	`207`	`}`
`208`	`208`
`209`	`209`	`private Map<String, Object> getParameterBindings(Exchange exc, Flow flow, Message msg) {`
`210`		`- var binding = createParameterBindings(router, exc, flow, scriptAccessesJson && msg.isJSON());`
	`210`	`+ var binding = createParameterBindings(router, exc, flow, scriptAccessesJson && msg.isJSON(), false);`
`211`	`211`	`addOutcomeObjects(binding);`
`212`	`212`	`return binding;`
`213`	`213`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ class GroovyBuiltInFunctionsTest {`
`34`	`34`
`35`	`35`	`@BeforeEach`
`36`	`36`	`void setUp() throws URISyntaxException {`
`37`		`- functions = new GroovyBuiltInFunctions(post("/foo").xml("<person name='Fritz'/>").buildExchange(), REQUEST, new DummyTestRouter());`
	`37`	`+ functions = new GroovyBuiltInFunctions(post("/foo").xml("<person name='Fritz'/>").buildExchange(), REQUEST, new DummyTestRouter(), new HashMap<>());`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`@Test`