From 9c91d2bd8c523ad5ec2f5938079df1169f39b57a Mon Sep 17 00:00:00 2001
From: Karaimin <aleyidin.karaimin@sap.com>
Date: Mon, 16 Nov 2020 14:10:28 +0200
Subject: [PATCH] Escape Java EL in validation message before interpolation

---
 .../scimono/entity/schema/validation/ValidationUtil.java | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scimono-server/src/main/java/com/sap/scimono/entity/schema/validation/ValidationUtil.java b/scimono-server/src/main/java/com/sap/scimono/entity/schema/validation/ValidationUtil.java
index 58ca9bc9..9e546b10 100644
--- a/scimono-server/src/main/java/com/sap/scimono/entity/schema/validation/ValidationUtil.java
+++ b/scimono-server/src/main/java/com/sap/scimono/entity/schema/validation/ValidationUtil.java
@@ -1,13 +1,20 @@
 
 package com.sap.scimono.entity.schema.validation;
 
+import java.util.regex.Pattern;
+
 import javax.validation.ConstraintValidatorContext;
 
 class ValidationUtil {
+  private static final Pattern EXPRESSION_LANGUAGE_CHARACTERS = Pattern.compile("([${}])");
 
   public static void interpolateErrorMessage(ConstraintValidatorContext context, String errorMessage) {
     context.disableDefaultConstraintViolation();
-    context.buildConstraintViolationWithTemplate(errorMessage).addConstraintViolation();
+    context.buildConstraintViolationWithTemplate(escapeExpressionLanguage(errorMessage)).addConstraintViolation();
+  }
+
+  private static String escapeExpressionLanguage(String text) {
+    return EXPRESSION_LANGUAGE_CHARACTERS.matcher(text).replaceAll( "\\\\$1" );
   }
 
 }