Fix CSP style-src nonce policy and escape unsafe HTML output paths

[metsw24-max]

This PR fixes three framework-side output safety issues related to CSP policy generation and HTML escaping.

All existing tests pass after the changes.

Fix 1: radiomap.ftl attribute escaping

Problem

radiomap.ftl used:

${attributes.name?no_esc}

without pre-sanitizing " characters.

Unlike other form templates, this bypassed FreeMarker auto-escaping entirely and allowed a double quote to break out of the HTML attribute context.

Fix

Escape only double quotes before ?no_esc:

${attributes.name?replace('"', '"')?no_esc}

Single quotes are intentionally preserved because Struts OGNL map syntax may legitimately contain them:

myMap['key']

Files changed:

• template/simple/radiomap.ftl
• template/html5/radiomap.ftl

---

Fix 2: CSP policy missing style-src

Problem

The framework propagates CSP nonces to generated <link> and <script> tags, but the default CSP policy only defined:

script-src 'nonce-...'

No style-src directive existed, meaning style nonces were not enforced by browsers.

Fix

Added:

• STYLE_SRC constant to CspSettings
• style-src 'nonce-...' ... directive generation in DefaultCspSettings

Also updated CSP interceptor tests to validate the new policy format.

Files changed:

• CspSettings.java
• DefaultCspSettings.java
• CspInterceptorTest.java

---

Fix 3: unescaped redirect body output

Problem

ServletRedirectResult wrote the raw redirect URL directly into the HTML response body when using non-302 status codes:

response.getWriter().write(finalLocation);

Since finalLocation may contain OGNL-evaluated values, framework-controlled HTML output should always be escaped before rendering.

Fix

Escape the response body output using Apache Commons Text:

StringEscapeUtils.escapeHtml4(finalLocation)

The Location response header itself remains unchanged.

Files changed:

• ServletRedirectResult.java