Is it possible to make ?html the default?

>
> I'd like to turn on HTML/XML escaping by default to avoid XSS issues  
> in my
> application. Is this possible? I tried the following with Spring  
> MVC, but it
> doesn't seem to work:
>
>    <bean id="freemarkerConfig"
> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer
> ">
>        <property name="templateLoaderPath" value="/"/>
>        <property name="freemarkerSettings">
>            <props>
>                <prop key="datetime_format">MM/dd/yyyy</prop>
>                <prop key="number_format">0.######</prop>
>            </props>
>        </property>
>        <property name="freemarkerVariables">
>            <map>
>                <entry key="html_escape" value-ref="fmHtmlEscape"/>
>            </map>
>        </property>
>    </bean>
>
>    <bean id="fmHtmlEscape"  
> class="freemarker.template.utility.HtmlEscape"/>
>
> In my template, I have:
>
> <#assign test = "<strong>stuff</strong>">
> test = ${test}
>
> And it prints out stuff in bold. If I use ${test?html}, it does what  
> I want.
> I'd like to invert the logic, so escaping is the default and ?html  
> turns off
> escaping. I'm not as concerned about turning off escaping as I am  
> about
> making escaping the default.
>
> Thanks,
>
> Matt

> The closest you can achieve is to enclose each template body into a
>
> [#escape x as x?html]
> ...
> [/#escape]
>
> block. To temporarily turn escaping off you can use [#noescape]
> blocks. Note also that [#escape] is actually evaluated at parse time,
> therefore its scoping is lexical. What this means in practical terms
> is that ${...} interpolations are automatically escaped if they occur
> in the template source file enclosed in [#escape] block. This is
> significant in case of macros, as escaping happens at the macro
> definition site, and is independent of the location it is later called
> from. This means that:
>
> [#escape x as x?html]
> [#macro x y]
> ${y}
> [/#macro]
> [/#escape]
>
> [@x "<"/]
>
> will output < while
>
> [#macro x y]
> ${y}
> [/#macro]
>
> [#escape x as x?html]
> [@x "<"/]
> [/#escape]
>
> will output <.
>
> Attila.
>
> On 2007.11.28., at 18:54, mraible wrote:
>
>>
>> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
>> in my
>> application. Is this possible? I tried the following with Spring
>> MVC, but it
>> doesn't seem to work:
>>
>>    <bean id="freemarkerConfig"
>> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
>> igurer
>> ">
>>        <property name="templateLoaderPath" value="/"/>
>>        <property name="freemarkerSettings">
>>            <props>
>>                <prop key="datetime_format">MM/dd/yyyy</prop>
>>                <prop key="number_format">0.######</prop>
>>            </props>
>>        </property>
>>        <property name="freemarkerVariables">
>>            <map>
>>                <entry key="html_escape" value-ref="fmHtmlEscape"/>
>>            </map>
>>        </property>
>>    </bean>
>>
>>    <bean id="fmHtmlEscape"
>> class="freemarker.template.utility.HtmlEscape"/>
>>
>> In my template, I have:
>>
>> <#assign test = "<strong>stuff</strong>">
>> test = ${test}
>>
>> And it prints out stuff in bold. If I use ${test?html}, it does what
>> I want.
>> I'd like to invert the logic, so escaping is the default and ?html
>> turns off
>> escaping. I'm not as concerned about turning off escaping as I am
>> about
>> making escaping the default.
>>
>> Thanks,
>>
>> Matt
>
>
>
>
> ----------------------------------------------------------------------
> ---
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell.  From the desktop to the data center, Linux is going
> mainstream.  Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> FreeMarker-user mailing list
> FreeMarker-user@...
> https://lists.sourceforge.net/lists/listinfo/freemarker-user

> If I was to modify FreeMarker to support escaping by default - where
> would I start?
>
> Thanks,
>
> Matt
>
> On Nov 28, 2007, at 12:01 PM, Attila Szegedi wrote:
>
>> The closest you can achieve is to enclose each template body into a
>>
>> [#escape x as x?html]
>> ...
>> [/#escape]
>>
>> block. To temporarily turn escaping off you can use [#noescape]
>> blocks. Note also that [#escape] is actually evaluated at parse time,
>> therefore its scoping is lexical. What this means in practical terms
>> is that ${...} interpolations are automatically escaped if they occur
>> in the template source file enclosed in [#escape] block. This is
>> significant in case of macros, as escaping happens at the macro
>> definition site, and is independent of the location it is later  
>> called
>> from. This means that:
>>
>> [#escape x as x?html]
>> [#macro x y]
>> ${y}
>> [/#macro]
>> [/#escape]
>>
>> [@x "<"/]
>>
>> will output < while
>>
>> [#macro x y]
>> ${y}
>> [/#macro]
>>
>> [#escape x as x?html]
>> [@x "<"/]
>> [/#escape]
>>
>> will output <.
>>
>> Attila.
>>
>> On 2007.11.28., at 18:54, mraible wrote:
>>
>>>
>>> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
>>> in my
>>> application. Is this possible? I tried the following with Spring
>>> MVC, but it
>>> doesn't seem to work:
>>>
>>>   <bean id="freemarkerConfig"
>>> class
>>> ="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
>>> igurer
>>> ">
>>>       <property name="templateLoaderPath" value="/"/>
>>>       <property name="freemarkerSettings">
>>>           <props>
>>>               <prop key="datetime_format">MM/dd/yyyy</prop>
>>>               <prop key="number_format">0.######</prop>
>>>           </props>
>>>       </property>
>>>       <property name="freemarkerVariables">
>>>           <map>
>>>               <entry key="html_escape" value-ref="fmHtmlEscape"/>
>>>           </map>
>>>       </property>
>>>   </bean>
>>>
>>>   <bean id="fmHtmlEscape"
>>> class="freemarker.template.utility.HtmlEscape"/>
>>>
>>> In my template, I have:
>>>
>>> <#assign test = "<strong>stuff</strong>">
>>> test = ${test}
>>>
>>> And it prints out stuff in bold. If I use ${test?html}, it does what
>>> I want.
>>> I'd like to invert the logic, so escaping is the default and ?html
>>> turns off
>>> escaping. I'm not as concerned about turning off escaping as I am
>>> about
>>> making escaping the default.
>>>
>>> Thanks,
>>>
>>> Matt
>>
>>
>>
>>
>> ----------------------------------------------------------------------
>> ---
>> SF.Net email is sponsored by: The Future of Linux Business White  
>> Paper
>> from Novell.  From the desktop to the data center, Linux is going
>> mainstream.  Let it simplify your IT future.
>> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
>> _______________________________________________
>> FreeMarker-user mailing list
>> FreeMarker-user@...
>> https://lists.sourceforge.net/lists/listinfo/freemarker-user
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell.  From the desktop to the data center, Linux is going
> mainstream.  Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> FreeMarker-user mailing list
> FreeMarker-user@...
> https://lists.sourceforge.net/lists/listinfo/freemarker-user

>
> Thanks,
>
> Matt
>
>
> On Nov 28, 2007, at 12:01 PM, Attila Szegedi wrote:
>
> > The closest you can achieve is to enclose each template body into a
> >
> > [#escape x as x?html]
> > ...
> > [/#escape]
> >
> > block. To temporarily turn escaping off you can use [#noescape]
> > blocks. Note also that [#escape] is actually evaluated at parse time,
> > therefore its scoping is lexical. What this means in practical terms
> > is that ${...} interpolations are automatically escaped if they occur
> > in the template source file enclosed in [#escape] block. This is
> > significant in case of macros, as escaping happens at the macro
> > definition site, and is independent of the location it is later called
> > from. This means that:
> >
> > [#escape x as x?html]
> > [#macro x y]
> > ${y}
> > [/#macro]
> > [/#escape]
> >
> > [@x "<"/]
> >
> > will output < while
> >
> > [#macro x y]
> > ${y}
> > [/#macro]
> >
> > [#escape x as x?html]
> > [@x "<"/]
> > [/#escape]
> >
> > will output <.
> >
> > Attila.
> >
> > On 2007.11.28., at 18:54, mraible wrote:
> >
> >>
> >> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
> >> in my
> >> application. Is this possible? I tried the following with Spring
> >> MVC, but it
> >> doesn't seem to work:
> >>
> >>    <bean id="freemarkerConfig"
> >> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
> >> igurer
> >> ">
> >>        <property name="templateLoaderPath" value="/"/>
> >>        <property name="freemarkerSettings">
> >>            <props>
> >>                <prop key="datetime_format">MM/dd/yyyy</prop>
> >>                <prop key="number_format">0.######</prop>
> >>            </props>
> >>        </property>
> >>        <property name="freemarkerVariables">
> >>            <map>
> >>                <entry key="html_escape" value-ref="fmHtmlEscape"/>
> >>            </map>
> >>        </property>
> >>    </bean>
> >>
> >>    <bean id="fmHtmlEscape"
> >> class="freemarker.template.utility.HtmlEscape"/>
> >>
> >> In my template, I have:
> >>
> >> <#assign test = "<strong>stuff</strong>">
> >> test = ${test}
> >>
> >> And it prints out stuff in bold. If I use ${test?html}, it does what
> >> I want.
> >> I'd like to invert the logic, so escaping is the default and ?html
> >> turns off
> >> escaping. I'm not as concerned about turning off escaping as I am
> >> about
> >> making escaping the default.
> >>
> >> Thanks,
> >>
> >> Matt
> >
> >
> >
> >
> > ----------------------------------------------------------------------
> > ---
> > SF.Net email is sponsored by: The Future of Linux Business White Paper
> > from Novell.  From the desktop to the data center, Linux is going
> > mainstream.  Let it simplify your IT future.
> > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> > _______________________________________________
> > FreeMarker-user mailing list
> > FreeMarker-user@...
> > https://lists.sourceforge.net/lists/listinfo/freemarker-user
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell.  From the desktop to the data center, Linux is going
> mainstream.  Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> FreeMarker-user mailing list
> FreeMarker-user@...
> https://lists.sourceforge.net/lists/listinfo/freemarker-user
>

> On Nov 28, 2007 8:08 PM, Matt Raible <matt@...> wrote:
>> If I was to modify FreeMarker to support escaping by default - where
>> would I start?
>
> If you actually want to do this, you could tweak
> src/freemarker/core/DollarVariable.java. Where you have this method,
> you could replace this with something that does whatever to the string
> before outputting it.So, where you have:
>
> void accept(Environment env) throws TemplateException, IOException {
>         env.getOut().write(escapedExpression.getStringValue(env));
> }
>
> this could be replaced by:
>
> void accept(Environment env) throws TemplateException, IOException {
>         String output = escapedExpression.getStringValue(env);
>        
> env.getOut().write(freemarker.template.utility.StringUtil.HTMLEnc(output));
> }
>
>
> And then rebuild to have your custom freemarker.jar. that does this.
>
> Whether this is really desirable, I kind of doubt, but I figured it
> was right and proper to answer your question. :-)
>
> The newer 2.4 codebase has in place an API for writing your own FTL
> AST tree visitor so that you could walk the tree and do escaping in a
> separate step after parsing the template. In fact, come to think of
> it, in 2.4, I reworked the escaping so that it actually is an
> application of that tree visitor API. Basically, all that stufffis
> part of what is supposed to become a fuller API for tool developers to
> use. But I assume you're using 2.3. since we haven't had even a 2.4
> prerelease yet... We really should get going on this again. I know,
> it's mostly my fault, but there really are a lot of cool things in 2.4
> that have to be pushed out there.
>
> Regards,
>
> Jonathan
>
>
>
>>
>> Thanks,
>>
>> Matt
>>
>>
>> On Nov 28, 2007, at 12:01 PM, Attila Szegedi wrote:
>>
>> > The closest you can achieve is to enclose each template body into a
>> >
>> > [#escape x as x?html]
>> > ...
>> > [/#escape]
>> >
>> > block. To temporarily turn escaping off you can use [#noescape]
>> > blocks. Note also that [#escape] is actually evaluated at parse time,
>> > therefore its scoping is lexical. What this means in practical terms
>> > is that ${...} interpolations are automatically escaped if they occur
>> > in the template source file enclosed in [#escape] block. This is
>> > significant in case of macros, as escaping happens at the macro
>> > definition site, and is independent of the location it is later called
>> > from. This means that:
>> >
>> > [#escape x as x?html]
>> > [#macro x y]
>> > ${y}
>> > [/#macro]
>> > [/#escape]
>> >
>> > [@x "<"/]
>> >
>> > will output < while
>> >
>> > [#macro x y]
>> > ${y}
>> > [/#macro]
>> >
>> > [#escape x as x?html]
>> > [@x "<"/]
>> > [/#escape]
>> >
>> > will output <.
>> >
>> > Attila.
>> >
>> > On 2007.11.28., at 18:54, mraible wrote:
>> >
>> >>
>> >> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
>> >> in my
>> >> application. Is this possible? I tried the following with Spring
>> >> MVC, but it
>> >> doesn't seem to work:
>> >>
>> >>    <bean id="freemarkerConfig"
>> >> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
>> >> igurer
>> >> ">
>> >>        <property name="templateLoaderPath" value="/"/>
>> >>        <property name="freemarkerSettings">
>> >>            <props>
>> >>                <prop key="datetime_format">MM/dd/yyyy</prop>
>> >>                <prop key="number_format">0.######</prop>
>> >>            </props>
>> >>        </property>
>> >>        <property name="freemarkerVariables">
>> >>            <map>
>> >>                <entry key="html_escape" value-ref="fmHtmlEscape"/>
>> >>            </map>
>> >>        </property>
>> >>    </bean>
>> >>
>> >>    <bean id="fmHtmlEscape"
>> >> class="freemarker.template.utility.HtmlEscape"/>
>> >>
>> >> In my template, I have:
>> >>
>> >> <#assign test = "<strong>stuff</strong>">
>> >> test = ${test}
>> >>
>> >> And it prints out stuff in bold. If I use ${test?html}, it does what
>> >> I want.
>> >> I'd like to invert the logic, so escaping is the default and ?html
>> >> turns off
>> >> escaping. I'm not as concerned about turning off escaping as I am
>> >> about
>> >> making escaping the default.
>> >>
>> >> Thanks,
>> >>
>> >> Matt