Support spring.webflux.default-html-escape property for application-wide HTML escaping configuration

[husseinvr97]

Spring Framework 7.0.6 introduced programmatic support for configuring
application-wide HTML escaping in WebFlux via WebHttpHandlerBuilder.defaultHtmlEscape()
(see spring-projects/spring-framework#36400).

However, Spring Boot does not yet expose this as a property, meaning developers
cannot configure it via application.properties or application.yml.

In Spring MVC, this has long been configurable via the defaultHtmlEscape
context parameter in web.xml. WebFlux applications migrating from MVC
currently have no equivalent property-based option.

Proposed Solution

Add spring.webflux.default-html-escape to WebFluxProperties and wire it
through a WebHttpHandlerBuilderCustomizer bean in WebFluxAutoConfiguration:

​ spring.webflux.default-html-escape=true ​

This follows the existing WebHttpHandlerBuilderCustomizer extension point
already used in HttpHandlerAutoConfiguration.

I can submit a PR for this change.

Reference

• Spring Framework PR: Support application-wide defaultHtmlEscape setting in WebFlux RequestContext spring-framework#36400
• Spring Framework commit: d4893fb

[wilkinsona]

Thanks for the proposal.

A typical Spring Boot application doesn't have a web.xml file. Technically, you can configure the MVC side of things using an init parameter but that's quite different to a specific property.

If we're going to do something here, I'd like to be able to provide the same functionality for both MVC and WebFlux apps. Perhaps we can provide a property for MVC and map that to the equivalent init parameter on the servlet context. Alternatively, Framework could provide a configuration mechanism in MVC that's not coupled to the servlet context. We'll discuss it.

[husseinvr97]

Thanks for the feedback @wilkinsona!

I understand the desire for consistency across MVC and WebFlux.
I'm happy to expand the scope to cover both if the team decides on the approach. I'll wait for the team discussion before submitting a PR.

[wilkinsona]

We discussed this today and we're happy with the init parameter approach on the MVC side. We'd like to have the proposed spring.webflux.default-html-escape property for WebFlux too so that users of either web stack can configure this setting using properties. @husseinvr97, if you'd like to open a PR for this, that'd be much appreciated.

[husseinvr97]

Thanks @wilkinsona and @philwebb! I'll get started on the PR right away.

[philwebb]

Closing in favor of PR #49791. Thanks @husseinvr97!