I'd like to turn on HTML/XML escaping by default to avoid XSS issues in my application. Is this possible? I tried the following with Spring MVC, but it doesn't seem to work:
<bean id="freemarkerConfig" class="org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer">
<property name="templateLoaderPath" value="/"/>
<property name="freemarkerSettings">
<props>
<prop key="datetime_format">MM/dd/yyyy</prop>
<prop key="number_format">0.######</prop>
</props>
</property>
<property name="freemarkerVariables">
<map>
<entry key="html_escape" value-ref="fmHtmlEscape"/>
</map>
</property>
</bean>
<bean id="fmHtmlEscape" class="freemarker.template.utility.HtmlEscape"/>
In my template, I have:
<#assign test = "<strong>stuff</strong>">
test = ${test}
And it prints out stuff in bold. If I use ${test?html}, it does what I want. I'd like to invert the logic, so escaping is the default and ?html turns off escaping. I'm not as concerned about turning off escaping as I am about making escaping the default.
Thanks,
Matt
