JSR-371: MVC 1.0 TCK Coverage

1.0

Contents

Chapter Summary
Section Summary
Coverage Detail
Unmatched Tests
Unversioned Tests
Test Group Summary

Coverage Distribution

 
 
 
 
 
 
 
 
 
 

Chapter Summary

Chapter Assertions Testable Total Tested Total Tests Tested
(problematic)
Tested
(working)
Coverage %
1 Introduction000000
2 Models, Views and Controllers33333352033100.00%
3 Data Binding8800000.00%
4 Security131300000.00%
5 Events666606100.00%
6 Applications7700000.00%
7 View Engines8800000.00%
8 Internationalization4400000.00%
Total7979395803949.37%

Section Summary

SectionAssertionsTestableTotal TestedTested
(problematic)
Tested
(working)
Coverage %
1 Introduction [introduction]00000
1.1 Goals [goals]00000
1.2 Non-Goals [non_goals]00000
1.3 Additional Information [additional_information]00000
1.4 Terminology [terminology]00000
1.5 Conventions [conventions]00000
1.6 Specification Leads [spec_leads]00000
1.7 Expert Group Members [expert_group]00000
1.8 Contributors [contributors]00000
1.9 Acknowledgements [acks]00000
2 Models, Views and Controllers [mvc]00000
2.1 Controllers [controllers]111111011100.00%
2.1.1 Controller Instances [controller_instances]44404100.00%
2.1.2 Response [response]11101100.00%
2.1.3 Redirect and @RedirectScoped [redirect]77707100.00%
2.2 Models [models]44404100.00%
2.3 Views [views]11101100.00%
2.3.1 Building URIs in a View [mvc_uri]55505100.00%
3 Data Binding [data_binding]00000
3.1 Introduction [data_binding_intro]00000
3.2 @MvcBinding annotation [mvc_binding_annotation]220000.00%
3.3 Error handling with BindingResult [error_handling_bindingresult]220000.00%
3.4 Converting to Java types [converting_parameters]00000
3.4.1 Numeric types [numeric_types]220000.00%
3.4.2 Boolean type [boolean_type]220000.00%
3.4.3 Other types [other_types]00000
4 Security [security]00000
4.1 Introduction [security_introduction]00000
4.2 Cross-site Request Forgery [cross-site-request-forgery]11110000.00%
4.3 Cross-site Scripting [cross-site-scripting]220000.00%
5 Events [events]00000
5.1 Observers [observers]66606100.00%
6 Applications [applications]00000
6.1 MVC Applications [mvc_applications]220000.00%
6.2 MVC Context [mvc_context]330000.00%
6.3 Providers in MVC [providers_in_mvc]00000
6.4 Annotation Inheritance [annotation_inheritance]220000.00%
6.5 Configuration in MVC [configuration_in_mvc]00000
7 View Engines [view_engines]00000
7.1 Introduction [view_engines_introduction]220000.00%
7.2 Selection Algorithm [selection_algorithm]660000.00%
7.3 FacesServlet [faces_servlet]00000
8 Internationalization [i18n]00000
8.1 Introduction [i18n_introduction]110000.00%
8.2 Resolving Algorithm [i18n_resolving_algorithm]220000.00%
8.3 Default Locale Resolver [i18n_default_resolver]110000.00%

Coverage Detail

Colour Key
Assertion is covered
Assertion is not covered
Assertion test is unimplemented
Assertion is untestable

Section 2.1 - Controllers [controllers]

ctrl-method)

An MVC controller is a JAX-RS [5] resource method decorated by @Controller

Coverage

org.mvcspec.tck.tests.mvc.controller.annotation
Test archive name: 1bf7b388452f10d85ffd5b39e7427043f5e91
ControllerAnnotationTest.controllerMethod()
ctrl-class)

If this annotation is applied to a class, then all resource methods in it are regarded as controllers

Coverage

org.mvcspec.tck.tests.mvc.controller.annotation
Test archive name: 1bf7b388452f10d85ffd5b39e7427043f5e91
ControllerAnnotationTest.controllerClass()
ctrl-hybrid)

Using the @Controller annotation on a subset of methods defines a hybrid class in which certain methods are controllers and others are traditional JAX-RS resource methods.

Coverage

org.mvcspec.tck.tests.mvc.controller.annotation
Test archive name: 1bf7b388452f10d85ffd5b39e7427043f5e91
ControllerAnnotationTest.controllerHybrid()
return-string)

In particular, a return type of String is interpreted as a view path rather than text content

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.stringReturnType()
default-mediatype)

Moreover, the default media type for a response is assumed to be text/html, but otherwise can be declared using @Produces just like in JAX-RS

Coverage

org.mvcspec.tck.tests.mvc.controller.mediatype
Test archive name: f842b4738a8051c14176753bed32b9adb57e35
MediaTypeTest.defaultMediaType()
Test archive name: f842b4738a8051c14176753bed32b9adb57e35
MediaTypeTest.customMediaType()
return-void)

A controller method that returns void is REQUIRED to be decorated by @View

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.voidWithViewAnnotation()
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.voidWithoutViewAnnotation()
return-string2)

A string returned is interpreted as a view path

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.stringReturnType()
return-response)

A JAX-RS Response whose entity's type is one of the above

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.responseWithStringEntity()
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.responseWithNullEntity()
non-null-viewable)

The default view MUST be used only when such a non-void controller method returns a null value

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.stringWithNullResult()
inject-param-types)

All parameter types injectable in JAX-RS resources are also available in controllers

Coverage

org.mvcspec.tck.tests.mvc.controller.inject
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectPathParam()
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectQueryParam()
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectHeaderParam()
inject-field-props)

Likewise, injection of fields and properties is unrestricted and fully compatible with JAX-RS

Coverage

org.mvcspec.tck.tests.mvc.controller.inject
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectFieldParam()
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectPropertyParam()

Section 2.1.1 - Controller Instances [controller_instances]

ctrl-cdi)

MVC classes are REQUIRED to be CDI-managed beans only

Coverage

org.mvcspec.tck.tests.mvc.instances.cdi
Test archive name: 4be3737c3eeb84e6ad40f07dcf248276dcbee683
CdiControllerTest.controllerCdiInjection()
ctrl-cdi-hybrid)

It follows that a hybrid class that contains a mix of JAX-RS resource methods and MVC controllers must also be CDI managed

Coverage

org.mvcspec.tck.tests.mvc.instances.cdi
Test archive name: 4be3737c3eeb84e6ad40f07dcf248276dcbee683
CdiControllerTest.hybridCdiInjection()
request-scope-default)

Like in JAX-RS, the default resource class instance lifecycle is per-request

Coverage

org.mvcspec.tck.tests.mvc.instances.lifecycle
Test archive name: 1184f6b941a7b09abae7e946415f958b14a288a0
ControllerLifecycleTest.controllerRequestScope()
scope-proxy)

In particular, CDI may need to create proxies when, for example, a per-request instance is as a member of a per-application instance

Coverage

org.mvcspec.tck.tests.mvc.instances.proxy
Test archive name: 36e9f988b0226651821d2420623382bca463d124
InjectProxyTest.injectProxyIfRequired()

Section 2.1.2 - Response [response]

response-header)

Returning a Response object gives applications full access to all the parts in a response, including the headers

Coverage

org.mvcspec.tck.tests.mvc.response
Test archive name: b4874be6631fad835b0b83e1a695ff62ab9209a
ResponseFeaturesTest.responseAllowsSettingHeaders()
Test archive name: b4874be6631fad835b0b83e1a695ff62ab9209a
ResponseFeaturesTest.responseAllowsSettingCacheControl()

Section 2.1.3 - Redirect and @RedirectScoped [redirect]

redirect-response)

Controllers can redirect clients by returning a Response instance using the JAX-RS API

Coverage

org.mvcspec.tck.tests.mvc.redirect.send
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.redirectViaResponse()
redirect-prefix)

MVC implementations are REQUIRED to support view paths prefixed by redirect: as a more concise way to trigger a client redirect

Coverage

org.mvcspec.tck.tests.mvc.redirect.send
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.redirectViaRedirectPrefix()
redirect-relative)

In either case, relative paths are resolved relative to the JAX-RS application path

Coverage

org.mvcspec.tck.tests.mvc.redirect.send
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.relativePathResponse()
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.relativePathRedirectPrefix()
redirect-303-302)

MVC implementations SHOULD use the 303 (See other) status code for the redirect, but MAY prefer 302 (Found) if HTTP 1.0 compatibility is required.

Coverage

org.mvcspec.tck.tests.mvc.redirect.send
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.usesCorrectStatusCide()
scope-request)

A bean in request scope is available only during the processing of a single request

Coverage

org.mvcspec.tck.tests.mvc.redirect.scope
Test archive name: 830a4857cedda83fdbd58cb96e7dfe3d5830
RedirectScopeTest.requestScope()
scope-session)

While a bean in session scope is available throughout an entire web session which can potentially span tens or even hundreds of requests

Coverage

org.mvcspec.tck.tests.mvc.redirect.scope
Test archive name: 830a4857cedda83fdbd58cb96e7dfe3d5830
RedirectScopeTest.sessionScope()
scope-redirect)

CDI beans in this scope are automatically created and destroyed by correlating a redirect and the request that follows

Coverage

org.mvcspec.tck.tests.mvc.redirect.scope
Test archive name: 830a4857cedda83fdbd58cb96e7dfe3d5830
RedirectScopeTest.redirectScope()

Section 2.2 - Models [models]

builtin-both-models)

MVC provides view engines for JSP and Facelets out of the box, which support both types

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelFacelets()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsFacelets()
cdi-model-inject)

Given that the view engine for JSPs supports @Named beans, all the controller needs to do is fill out the model and return the view

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelFacelets()
cdi-model-el)

This will allow the view to access the greeting using the EL expression

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelFacelets()
models-inject)

Controllers can also use the Models map to pass data to the view

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsFacelets()

Section 2.3 - Views [views]

jsp-el)

In a JSP, model properties are accessible via EL

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsJsp()

Section 2.3.1 - Building URIs in a View [mvc_uri]

el-access)

URIs for these controller methods can be created with an EL expression

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.simpleUriViaEl()
class-method-name)

The controller method is referenced using the simple name of the controller class and the corresponding method name separated by #

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.simpleUriViaEl()
param-map)

If the URI contains path, query or matrix parameters, concrete values can be supplied using a map

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.mapPathParam()
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.mapQueryParam()
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.mapMatrixParam()
uri-encoding)

MVC implementations MUST apply the corresponding URI encoding rules depending on whether the value is used in a query, path or matrix parameter

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.encodingPathParam()
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.encodingQueryParam()
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.encodingMatrixParam()
uri-ref)

Therefore, applications can use the @UriRef annotation to define a stable and unique name for a controller method

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.supportsUriRef()

Section 3.2 - @MvcBinding annotation [mvc_binding_annotation]

mvc-binding)

You can enable the MVC specific data binding by adding a @MvcBinding annotation to the corresponding controller field or method parameter

Coverage

No tests exist for this assertion

all-binding-annotations)

Therefore, MVC implementations MUST support @MvcBinding with all JAX-RS binding annotations

Coverage

No tests exist for this assertion

Section 3.3 - Error handling with BindingResult [error_handling_bindingresult]

invoke-controller)

An MVC implementation is required to invoke the matched controller method even if binding or validation errors occurred

Coverage

No tests exist for this assertion

inject-binding-result)

Controllers can inject a request-scoped instance of BindingResult to access details about potential data binding errors

Coverage

No tests exist for this assertion

Section 3.4.1 - Numeric types [numeric_types]

convert-numeric)

When converting values to these numeric Java types, MVC implementations MUST use the current request locale for parsing non-empty strings

Coverage

No tests exist for this assertion

convert-empty-numeric)

Empty strings are either converted to null or to the default value of the corresponding primitive data type

Coverage

No tests exist for this assertion

Section 3.4.2 - Boolean type [boolean_type]

convert-boolean)

When an MVC implementation converts a non-empty string to a boolean primitive type or the java.lang.Boolean wrapper type, it MUST convert both true and on to the boolean true and all others strings to false

Coverage

No tests exist for this assertion

convert-empty-boolean)

Empty strings are converted to false in case of the primitive boolean type and to null for the wrapper type

Coverage

No tests exist for this assertion

Section 4.2 - Cross-site Request Forgery [cross-site-request-forgery]

csrf-obj)

The Csrf object is available to applications via the injectable MvcContext type or in EL as mvc.csrf

Coverage

No tests exist for this assertion

csrf-hidden-field)

Applications may use the Csrf object to inject a hidden field in a form that can be validated upon submission

Coverage

No tests exist for this assertion

csrf-verify)

MVC implementations are REQUIRED to support CSRF tokens both as form fields (with the help of the application developer as shown above) and as HTTP headers

Coverage

No tests exist for this assertion

csrf-opt-default)

The default value of this property is CsrfOptions.EXPLICIT

Coverage

No tests exist for this assertion

csrf-inject-header)

Any other value than CsrfOptions.OFF will automatically inject a CSRF token as an HTTP header

Coverage

No tests exist for this assertion

csrf-implicit)

Automatic validation is enabled by setting this property to CsrfOptions.IMPLICIT, in which case all post requests must include either an HTTP header or a hidden field with the correct token

Coverage

No tests exist for this assertion

csrf-explict)

Finally, if the property is set to CsrfOptions.EXPLICIT then application developers must annotate controllers using @CsrfProtected to manually enable validation as shown in the following example

Coverage

No tests exist for this assertion

csrf-mediatype)

MVC implementations are required to support CSRF validation of tokens for controllers annotated with @POST and consuming the media type x-www-form-urlencoded

Coverage

No tests exist for this assertion

csrf-exception)

The MVC implementation MUST throw a javax.mvc.security.CsrfValidationException

Coverage

No tests exist for this assertion

csrf-default-mapper)

The implementation MUST provide a default exception mapper for this exception which handles it by responding with a 403 (Forbidden) status code

Coverage

No tests exist for this assertion

csrf-custom-mapper)

Applications MAY provide a custom exception mapper for CsrfValidationException to change this default behavior

Coverage

No tests exist for this assertion

Section 4.3 - Cross-site Scripting [cross-site-scripting]

xss-encoders-obj)

MVC applications can gain access to encoders through the MvcContext object

Coverage

No tests exist for this assertion

xss-escaping)

The methods defined by javax.mvc.security.Encoders can be used by applications to contextually encode data in an attempt to prevent XSS attacks

Coverage

No tests exist for this assertion

Section 5.1 - Observers [observers]

before-after-controller)

The events BeforeControllerEvent and AfterControllerEvent are fired around the invocation of a controller

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.aroundControllerEvents()
after-controller-exception)

Please note that AfterControllerEvent is always fired, even if the controller fails with an exception

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.afterControllerWithError()
before-after-view)

The events BeforeProcessViewEvent and AfterProcessViewEvent are fired around this call

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.aroundRenderView()
after-view-exception)

Please note that AfterProcessViewEvent is always fired, even if the view engine fails with an exception

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.afterViewWithError()
redirect-event)

The last event supported by MVC is ControllerRedirectEvent, which is fired just before the MVC implementation returns a redirect status code

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.redirectEvent()
redirect-after-controller-event)

Please note that this event MUST be fired after AfterControllerEvent

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.redirectEvent()

Section 6.1 - MVC Applications [mvc_applications]

application-class)

The controllers and providers that make up an application are configured via an application-supplied subclass of Application from JAX-RS

Coverage

No tests exist for this assertion

url-space)

The path in the application's URL space in which MVC controllers live must be specified either using the @ApplicationPath annotation on the application subclass or in the web.xml as part of the url-pattern element

Coverage

No tests exist for this assertion

Section 6.2 - MVC Context [mvc_context]

injection)

MVC applications can inject an instance of MvcContext to access configuration, security and path-related information

Coverage

No tests exist for this assertion

request-scope)

Instances of MvcContext are provided by implementations and are always in request scope

Coverage

No tests exist for this assertion

el-access)

For convenience, the MvcContext instance is also available using the name mvc in EL

Coverage

No tests exist for this assertion

Section 6.4 - Annotation Inheritance [annotation_inheritance]

inheritance)

Such annotations are inherited by a corresponding sub-class or implementation class method provided that the method does not have any MVC or JAX-RS annotations of its own

Coverage

No tests exist for this assertion

class-vs-iface)

Annotations on a super-class take precedence over those on an implemented interface

Coverage

No tests exist for this assertion

Section 7.1 - Introduction [view_engines_introduction]

jsp-facelets)

Implementations MUST provide built-in support for JSPs and Facelets view engines

Coverage

No tests exist for this assertion

cdi-discovery)

Namely, any CDI bean that implements the javax.mvc.engine.ViewEngine interface MUST be considered as a possible target for processing by calling its supports method, discarding the engine if this method returns false

Coverage

No tests exist for this assertion

Section 7.2 - Selection Algorithm [selection_algorithm]

selection-algo)

Implementations should perform the following steps while trying to find a suitable view engine for a view

Coverage

No tests exist for this assertion

no-engine-found)

If a view engine that can process a view is not found, implementations are REQUIRED to throw a ViewEngineException

Coverage

No tests exist for this assertion

engine-exception)

Implementations MUST catch exceptions thrown during the execution of processView and re-throw them as ViewEngineException's

Coverage

No tests exist for this assertion

models-binding)

In the case of the built-in view engines for JSPs and Facelets, entries in Models must be bound by calling HttpServletRequest.setAttribute(String, Object)

Coverage

No tests exist for this assertion

path-relative)

If the path is relative, does not start with /, implementations MUST resolve view paths relative to the view folder, which defaults to /WEB-INF/views/

Coverage

No tests exist for this assertion

path-absolute)

If the path is absolute, no further processing is required

Coverage

No tests exist for this assertion

Section 8.1 - Introduction [i18n_introduction]

mvc-context-locale)

The request locale is available from MvcContext and can be used by controllers, view engines and other components

Coverage

No tests exist for this assertion

Section 8.2 - Resolving Algorithm [i18n_resolving_algorithm]

resolver-discovery)

Every CDI bean implementing the LocaleResolver interface and visible to the application participates in the locale resolving algorithm

Coverage

No tests exist for this assertion

resolve-algorithm)

Implementations MUST use the following algorithm to resolve the request locale for each request

Coverage

No tests exist for this assertion

Section 8.3 - Default Locale Resolver [i18n_default_resolver]

default-locale-resolver)

Every MVC implementation MUST provide a default locale resolver with a priority of 0 which resolves the request locale according to the following algorithm

Coverage

No tests exist for this assertion

Unmatched tests

The following 4 tests do not match any known assertions:

SectionAssertionTest ClassTest Method
xssxss-encoders-obj
org.mvcspec.tck.tests.security.xss
EncodersTest
encodersAvailableFromEl()
xssxss-encoders-obj
org.mvcspec.tck.tests.security.xss
EncodersTest
encodersInjectable()
xssxss-escaping
org.mvcspec.tck.tests.security.xss
EncodersTest
encodesHtml()
xssxss-escaping
org.mvcspec.tck.tests.security.xss
EncodersTest
encodesJavaScript()