Support multi-line comments in Server Sent Events

bclozel · bclozel · commit 86a68a77c40b · 2026-06-03T11:13:32.000+02:00
Prior to this commit, comments sent with Server Sent Events could break the wire format when sent over the network when comments contained line breaks. While comments are mainly used for sending keepalive messages, they can also be used for sending debug data. This commit ensures that line breaks are properly handled in comments. Fixes gh-36866
diff --git a/spring-web/src/main/java/org/springframework/http/codec/ServerSentEvent.java b/spring-web/src/main/java/org/springframework/http/codec/ServerSentEvent.java
@@ -22,7 +22,6 @@
 
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
-import org.springframework.util.StringUtils;
 
 /**
  * Representation for a Server-Sent Event for use with Spring's reactive Web support.
@@ -112,7 +111,9 @@ public String format() {
 			appendAttribute("retry", this.retry.toMillis(), sb);
 		}
 		if (this.comment != null) {
-			sb.append(':').append(StringUtils.replace(this.comment, "\n", "\n:")).append('\n');
+			sb.append(':');
+			appendEscaped(this.comment, "\n:", sb);
+			sb.append('\n');
 		}
 		if (this.data != null) {
 			sb.append("data:");
@@ -124,6 +125,30 @@ private void appendAttribute(String fieldName, Object fieldValue, StringBuilder
 		sb.append(fieldName).append(':').append(fieldValue).append('\n');
 	}
 
+	private void appendEscaped(String input, String replacement, StringBuilder sb) {
+		if (input.indexOf('\n') == -1 && input.indexOf('\r') == -1) {
+			sb.append(input);
+		}
+		else {
+			int length = input.length();
+			for (int i = 0; i < length; i++) {
+				char c = input.charAt(i);
+				if (c == '\r') {
+					if (i + 1 < length && input.charAt(i + 1) == '\n') {
+						i++;
+					}
+					sb.append(replacement);
+				}
+				else if (c == '\n') {
+					sb.append(replacement);
+				}
+				else {
+					sb.append(c);
+				}
+			}
+		}
+	}
+
 	@Override
 	public boolean equals(@Nullable Object other) {
 		return (this == other || (other instanceof ServerSentEvent<?> that &&
diff --git a/spring-web/src/test/java/org/springframework/http/codec/ServerSentEventTests.java b/spring-web/src/test/java/org/springframework/http/codec/ServerSentEventTests.java
@@ -22,6 +22,7 @@
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 
 /**
@@ -44,6 +45,15 @@ void rejectsInvalidEvent(String newLine, String description) {
 				ServerSentEvent.<String>builder().event("first" + newLine + "second").build());
 	}
 
+
+	@ParameterizedTest(name = "{1}")
+	@MethodSource("newLineCharacters")
+	void supportMultiLineComments(String newLine, String description) {
+		ServerSentEvent<String> event = ServerSentEvent.<String>builder()
+				.comment("foo" + newLine + "bar" + newLine + "baz").data("payload").build();
+		assertThat(event.format()).isEqualTo(":foo\n:bar\n:baz\ndata:");
+	}
+
 	private static Stream<Arguments> newLineCharacters() {
 		return Stream.of(
 				Arguments.of("\n", "LF"),
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/SseEmitter.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/SseEmitter.java
@@ -224,7 +224,9 @@ public SseEventBuilder reconnectTime(long reconnectTimeMillis) {
 
 		@Override
 		public SseEventBuilder comment(String comment) {
-			append(':').append(StringUtils.replace(comment, "\n", "\n:")).append('\n');
+			append(':');
+			appendEscaped(comment, "\n:");
+			append('\n');
 			return this;
 		}
 
@@ -259,6 +261,16 @@ private void writeStringData(String input, @Nullable MediaType mediaType) {
 			if (input.indexOf('\n') == -1 && input.indexOf('\r') == -1) {
 				this.dataToSend.add(new DataWithMediaType(input, mediaType));
 			}
+			else {
+				appendEscaped(input, "\ndata:");
+				saveAppendedText(mediaType);
+			}
+		}
+
+		private void appendEscaped(String input, String replacement) {
+			if (input.indexOf('\n') == -1 && input.indexOf('\r') == -1) {
+				append(input);
+			}
 			else {
 				int length = input.length();
 				for (int i = 0; i < length; i++) {
@@ -267,16 +279,15 @@ private void writeStringData(String input, @Nullable MediaType mediaType) {
 						if (i + 1 < length && input.charAt(i + 1) == '\n') {
 							i++;
 						}
-						this.sb.append("\ndata:");
+						append(replacement);
 					}
 					else if (c == '\n') {
-						this.sb.append("\ndata:");
+						append(replacement);
 					}
 					else {
-						this.sb.append(c);
+						append(c);
 					}
 				}
-				saveAppendedText(mediaType);
 			}
 		}
 
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/SseEmitterTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/SseEmitterTests.java
@@ -168,6 +168,17 @@ void rejectInvalidName(String newLineChars, String description) {
 				.send(event().name("first" + newLineChars + "second")));
 	}
 
+	@ParameterizedTest(name = "{1}")
+	@MethodSource("newLineCharacters")
+	void supportMultiLineComments(String newLineChars, String description) throws Exception {
+		this.emitter.send(event().comment("foo" + newLineChars + "bar" + newLineChars + "baz").data("payload"));
+		this.handler.assertSentObjectCount(3);
+		this.handler.assertObject(0, ":foo\n:bar\n:baz\ndata:", TEXT_PLAIN_UTF8);
+		this.handler.assertObject(1, "payload");
+		this.handler.assertObject(2, "\n\n", TEXT_PLAIN_UTF8);
+		this.handler.assertWriteCount(1);
+	}
+
 	private static Stream<Arguments> newLineCharacters() {
 		return Stream.of(
 				Arguments.of("\n", "LF"),

Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,9 @@ public SseEventBuilder reconnectTime(long reconnectTimeMillis) {`
`224`	`224`
`225`	`225`	`@Override`
`226`	`226`	`public SseEventBuilder comment(String comment) {`
`227`		`- append(':').append(StringUtils.replace(comment, "\n", "\n:")).append('\n');`
	`227`	`+ append(':');`
	`228`	`+ appendEscaped(comment, "\n:");`
	`229`	`+ append('\n');`
`228`	`230`	`return this;`
`229`	`231`	`}`
`230`	`232`
`@@ -259,6 +261,16 @@ private void writeStringData(String input, @Nullable MediaType mediaType) {`
`259`	`261`	`if (input.indexOf('\n') == -1 && input.indexOf('\r') == -1) {`
`260`	`262`	`this.dataToSend.add(new DataWithMediaType(input, mediaType));`
`261`	`263`	`}`
	`264`	`+ else {`
	`265`	`+ appendEscaped(input, "\ndata:");`
	`266`	`+ saveAppendedText(mediaType);`
	`267`	`+ }`
	`268`	`+ }`
	`269`	`+`
	`270`	`+ private void appendEscaped(String input, String replacement) {`
	`271`	`+ if (input.indexOf('\n') == -1 && input.indexOf('\r') == -1) {`
	`272`	`+ append(input);`
	`273`	`+ }`
`262`	`274`	`else {`
`263`	`275`	`int length = input.length();`
`264`	`276`	`for (int i = 0; i < length; i++) {`
`@@ -267,16 +279,15 @@ private void writeStringData(String input, @Nullable MediaType mediaType) {`
`267`	`279`	`if (i + 1 < length && input.charAt(i + 1) == '\n') {`
`268`	`280`	`i++;`
`269`	`281`	`}`
`270`		`- this.sb.append("\ndata:");`
	`282`	`+ append(replacement);`
`271`	`283`	`}`
`272`	`284`	`else if (c == '\n') {`
`273`		`- this.sb.append("\ndata:");`
	`285`	`+ append(replacement);`
`274`	`286`	`}`
`275`	`287`	`else {`
`276`		`- this.sb.append(c);`
	`288`	`+ append(c);`
`277`	`289`	`}`
`278`	`290`	`}`
`279`		`- saveAppendedText(mediaType);`
`280`	`291`	`}`
`281`	`292`	`}`
`282`	`293`