Ensure fragment for menu items is not itself rendered

Dave Syer · Dave Syer · commit 07b9d5aa45a5 · 2020-06-13T14:56:10.000+01:00
Formerly there was a "ghost" menu item with no text and no icon
because Thymeleaf had not been instructed to remove the fragment
definition. This change tidies that up and also removes the use of
the "path" variable, which Thymeleaf populates from the current
request context, and poses a potential security threat as a
result (if users type malicious characters in the URL).
diff --git a/src/main/resources/templates/fragments/layout.html b/src/main/resources/templates/fragments/layout.html
@@ -1,88 +1,98 @@
 <!doctype html>
 <html th:fragment="layout (template, menu)">
 
-  <head>
+<head>
 
-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
-    <meta charset="utf-8">
-    <meta http-equiv="X-UA-Compatible" content="IE=edge">
-    <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
 
-    <link rel="shortcut icon" type="image/x-icon" th:href="@{/resources/images/favicon.png}">
+  <link rel="shortcut icon" type="image/x-icon" th:href="@{/resources/images/favicon.png}">
 
-    <title>PetClinic :: a Spring Framework demonstration</title>
+  <title>PetClinic :: a Spring Framework demonstration</title>
 
-    <!--[if lt IE 9]>
+  <!--[if lt IE 9]>
     <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
     <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
     <![endif]-->
 
-    <link rel="stylesheet" th:href="@{/resources/css/petclinic.css}"/>
+  <link rel="stylesheet" th:href="@{/resources/css/petclinic.css}" />
 
-  </head>
+</head>
 
 <body>
 
   <nav class="navbar navbar-default" role="navigation">
-      <div class="container">
-          <div class="navbar-header">
-              <a class="navbar-brand" th:href="@{/}"><span></span></a>
-              <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#main-navbar">
-                  <span class="sr-only"><os-p>Toggle navigation</os-p></span>
-                  <span class="icon-bar"></span>
-                  <span class="icon-bar"></span>
-                  <span class="icon-bar"></span>
-              </button>
-          </div>
-          <div class="navbar-collapse collapse" id="main-navbar">
-              <ul class="nav navbar-nav navbar-right">
-  
-                  <li th:fragment="menuItem (path,active,title,glyph,text)" class="active" th:class="${active==menu ? 'active' : ''}">
-                      <a th:href="@{__${path}__}" th:title="${title}">
-                        <span th:class="'glyphicon  glyphicon-'+${glyph}" class="glyphicon glyphicon-home" aria-hidden="true"></span>
-                        <span th:text="${text}">Template</span>
-                      </a>
-                  </li>
-  
-                  <li th:replace="::menuItem ('/','home','home page','home','Home')">
-                      <span class="glyphicon glyphicon-home" aria-hidden="true"></span>
-                      <span>Home</span>
-                  </li>
-  
-                  <li th:replace="::menuItem ('/owners/find','owners','find owners','search','Find owners')">
-                      <span class="glyphicon glyphicon-search" aria-hidden="true"></span>
-                      <span>Find owners</span>
-                  </li>
-  
-                  <li th:replace="::menuItem ('/vets.html','vets','veterinarians','th-list','Veterinarians')">
-                      <span class="glyphicon glyphicon-th-list" aria-hidden="true"></span>
-                      <span>Veterinarians</span>
-                  </li>
-  
-                  <li th:replace="::menuItem ('/oups','error','trigger a RuntimeException to see how it is handled','warning-sign','Error')">
-                      <span class="glyphicon glyphicon-warning-sign" aria-hidden="true"></span>
-                      <span>Error</span>
-                  </li>
-  
-              </ul>
-          </div>
+    <div class="container">
+      <div class="navbar-header">
+        <a class="navbar-brand" th:href="@{/}"><span></span></a>
+        <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#main-navbar">
+          <span class="sr-only">
+            <os-p>Toggle navigation</os-p>
+          </span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </button>
+      </div>
+      <div class="navbar-collapse collapse" id="main-navbar">
+
+        <ul class="nav navbar-nav navbar-right" th:remove="all">
+
+          <li th:fragment="menuItem (link,active,title,glyph,text)" class="active"
+            th:class="${active==menu ? 'active' : ''}">
+            <a th:href="@{__${link}__}" th:title="${title}">
+              <span th:class="'glyphicon  glyphicon-'+${glyph}" class="glyphicon glyphicon-home"
+                aria-hidden="true"></span>
+              <span th:text="${text}">Template</span>
+            </a>
+          </li>
+
+        </ul>
+
+        <ul class="nav navbar-nav navbar-right">
+
+          <li th:replace="::menuItem ('/','home','home page','home','Home')">
+            <span class="glyphicon glyphicon-home" aria-hidden="true"></span>
+            <span>Home</span>
+          </li>
+
+          <li th:replace="::menuItem ('/owners/find','owners','find owners','search','Find owners')">
+            <span class="glyphicon glyphicon-search" aria-hidden="true"></span>
+            <span>Find owners</span>
+          </li>
+
+          <li th:replace="::menuItem ('/vets.html','vets','veterinarians','th-list','Veterinarians')">
+            <span class="glyphicon glyphicon-th-list" aria-hidden="true"></span>
+            <span>Veterinarians</span>
+          </li>
+
+          <li
+            th:replace="::menuItem ('/oups','error','trigger a RuntimeException to see how it is handled','warning-sign','Error')">
+            <span class="glyphicon glyphicon-warning-sign" aria-hidden="true"></span>
+            <span>Error</span>
+          </li>
+
+        </ul>
       </div>
+    </div>
   </nav>
   <div class="container-fluid">
-      <div class="container xd-container">
-  
-          <th:block th:include="${template}"/>
-
-        <br/>
-        <br/>
-        <div class="container">
-          <div class="row">
-            <div class="col-12 text-center">
-              <img src="../static/resources/images/spring-pivotal-logo.png" th:src="@{/resources/images/spring-pivotal-logo.png}"
-                alt="Sponsored by Pivotal"/></div>
-          </div>
+    <div class="container xd-container">
+
+      <th:block th:include="${template}" />
+
+      <br />
+      <br />
+      <div class="container">
+        <div class="row">
+          <div class="col-12 text-center">
+            <img src="../static/resources/images/spring-pivotal-logo.png"
+              th:src="@{/resources/images/spring-pivotal-logo.png}" alt="Sponsored by Pivotal" /></div>
         </div>
       </div>
+    </div>
   </div>
 
   <script th:src="@{/webjars/jquery/jquery.min.js}"></script>
