From 07b9d5aa45a51ce6d2372c46880cad2192da9d07 Mon Sep 17 00:00:00 2001
From: Dave Syer <dsyer@pivotal.io>
Date: Sat, 13 Jun 2020 14:56:10 +0100
Subject: [PATCH] Ensure fragment for menu items is not itself rendered

Formerly there was a "ghost" menu item with no text and no icon
because Thymeleaf had not been instructed to remove the fragment
definition. This change tidies that up and also removes the use of
the "path" variable, which Thymeleaf populates from the current
request context, and poses a potential security threat as a
result (if users type malicious characters in the URL).
---
 .../resources/templates/fragments/layout.html | 136 ++++++++++--------
 1 file changed, 73 insertions(+), 63 deletions(-)

diff --git a/src/main/resources/templates/fragments/layout.html b/src/main/resources/templates/fragments/layout.html
index 7cb5f4697..f3b207483 100755
--- a/src/main/resources/templates/fragments/layout.html
+++ b/src/main/resources/templates/fragments/layout.html
@@ -1,88 +1,98 @@
 <!doctype html>
 <html th:fragment="layout (template, menu)">
 
-  <head>
+<head>
 
-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
-    <meta charset="utf-8">
-    <meta http-equiv="X-UA-Compatible" content="IE=edge">
-    <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
 
-    <link rel="shortcut icon" type="image/x-icon" th:href="@{/resources/images/favicon.png}">
+  <link rel="shortcut icon" type="image/x-icon" th:href="@{/resources/images/favicon.png}">
 
-    <title>PetClinic :: a Spring Framework demonstration</title>
+  <title>PetClinic :: a Spring Framework demonstration</title>
 
-    <!--[if lt IE 9]>
+  <!--[if lt IE 9]>
     <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
     <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
     <![endif]-->
 
-    <link rel="stylesheet" th:href="@{/resources/css/petclinic.css}"/>
+  <link rel="stylesheet" th:href="@{/resources/css/petclinic.css}" />
 
-  </head>
+</head>
 
 <body>
 
   <nav class="navbar navbar-default" role="navigation">
-      <div class="container">
-          <div class="navbar-header">
-              <a class="navbar-brand" th:href="@{/}"><span></span></a>
-              <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#main-navbar">
-                  <span class="sr-only"><os-p>Toggle navigation</os-p></span>
-                  <span class="icon-bar"></span>
-                  <span class="icon-bar"></span>
-                  <span class="icon-bar"></span>
-              </button>
-          </div>
-          <div class="navbar-collapse collapse" id="main-navbar">
-              <ul class="nav navbar-nav navbar-right">
-  
-                  <li th:fragment="menuItem (path,active,title,glyph,text)" class="active" th:class="${active==menu ? 'active' : ''}">
-                      <a th:href="@{__${path}__}" th:title="${title}">
-                        <span th:class="'glyphicon  glyphicon-'+${glyph}" class="glyphicon glyphicon-home" aria-hidden="true"></span>
-                        <span th:text="${text}">Template</span>
-                      </a>
-                  </li>
-  
-                  <li th:replace="::menuItem ('/','home','home page','home','Home')">
-                      <span class="glyphicon glyphicon-home" aria-hidden="true"></span>
-                      <span>Home</span>
-                  </li>
-  
-                  <li th:replace="::menuItem ('/owners/find','owners','find owners','search','Find owners')">
-                      <span class="glyphicon glyphicon-search" aria-hidden="true"></span>
-                      <span>Find owners</span>
-                  </li>
-  
-                  <li th:replace="::menuItem ('/vets.html','vets','veterinarians','th-list','Veterinarians')">
-                      <span class="glyphicon glyphicon-th-list" aria-hidden="true"></span>
-                      <span>Veterinarians</span>
-                  </li>
-  
-                  <li th:replace="::menuItem ('/oups','error','trigger a RuntimeException to see how it is handled','warning-sign','Error')">
-                      <span class="glyphicon glyphicon-warning-sign" aria-hidden="true"></span>
-                      <span>Error</span>
-                  </li>
-  
-              </ul>
-          </div>
+    <div class="container">
+      <div class="navbar-header">
+        <a class="navbar-brand" th:href="@{/}"><span></span></a>
+        <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#main-navbar">
+          <span class="sr-only">
+            <os-p>Toggle navigation</os-p>
+          </span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </button>
       </div>
+      <div class="navbar-collapse collapse" id="main-navbar">
+
+        <ul class="nav navbar-nav navbar-right" th:remove="all">
+
+          <li th:fragment="menuItem (link,active,title,glyph,text)" class="active"
+            th:class="${active==menu ? 'active' : ''}">
+            <a th:href="@{__${link}__}" th:title="${title}">
+              <span th:class="'glyphicon  glyphicon-'+${glyph}" class="glyphicon glyphicon-home"
+                aria-hidden="true"></span>
+              <span th:text="${text}">Template</span>
+            </a>
+          </li>
+
+        </ul>
+
+        <ul class="nav navbar-nav navbar-right">
+
+          <li th:replace="::menuItem ('/','home','home page','home','Home')">
+            <span class="glyphicon glyphicon-home" aria-hidden="true"></span>
+            <span>Home</span>
+          </li>
+
+          <li th:replace="::menuItem ('/owners/find','owners','find owners','search','Find owners')">
+            <span class="glyphicon glyphicon-search" aria-hidden="true"></span>
+            <span>Find owners</span>
+          </li>
+
+          <li th:replace="::menuItem ('/vets.html','vets','veterinarians','th-list','Veterinarians')">
+            <span class="glyphicon glyphicon-th-list" aria-hidden="true"></span>
+            <span>Veterinarians</span>
+          </li>
+
+          <li
+            th:replace="::menuItem ('/oups','error','trigger a RuntimeException to see how it is handled','warning-sign','Error')">
+            <span class="glyphicon glyphicon-warning-sign" aria-hidden="true"></span>
+            <span>Error</span>
+          </li>
+
+        </ul>
+      </div>
+    </div>
   </nav>
   <div class="container-fluid">
-      <div class="container xd-container">
-  
-          <th:block th:include="${template}"/>
+    <div class="container xd-container">
 
-        <br/>
-        <br/>
-        <div class="container">
-          <div class="row">
-            <div class="col-12 text-center">
-              <img src="../static/resources/images/spring-pivotal-logo.png" th:src="@{/resources/images/spring-pivotal-logo.png}"
-                alt="Sponsored by Pivotal"/></div>
-          </div>
+      <th:block th:include="${template}" />
+
+      <br />
+      <br />
+      <div class="container">
+        <div class="row">
+          <div class="col-12 text-center">
+            <img src="../static/resources/images/spring-pivotal-logo.png"
+              th:src="@{/resources/images/spring-pivotal-logo.png}" alt="Sponsored by Pivotal" /></div>
         </div>
       </div>
+    </div>
   </div>
 
   <script th:src="@{/webjars/jquery/jquery.min.js}"></script>