« Return to Thread: Is it possible to make ?html the default?
Re: Is it possible to make ?html the default?
by Attila Szegedi-3
::
Rate this Message:
The closest you can achieve is to enclose each template body into a
[#escape x as x?html]
...
[/#escape]
block. To temporarily turn escaping off you can use [#noescape]
blocks. Note also that [#escape] is actually evaluated at parse time,
therefore its scoping is lexical. What this means in practical terms
is that ${...} interpolations are automatically escaped if they occur
in the template source file enclosed in [#escape] block. This is
significant in case of macros, as escaping happens at the macro
definition site, and is independent of the location it is later called
from. This means that:
[#escape x as x?html]
[#macro x y]
${y}
[/#macro]
[/#escape]
[@x "<"/]
will output < while
[#macro x y]
${y}
[/#macro]
[#escape x as x?html]
[@x "<"/]
[/#escape]
will output <.
Attila.
On 2007.11.28., at 18:54, mraible wrote:
>
> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
> in my
> application. Is this possible? I tried the following with Spring
> MVC, but it
> doesn't seem to work:
>
> <bean id="freemarkerConfig"
> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer
> ">
> <property name="templateLoaderPath" value="/"/>
> <property name="freemarkerSettings">
> <props>
> <prop key="datetime_format">MM/dd/yyyy</prop>
> <prop key="number_format">0.######</prop>
> </props>
> </property>
> <property name="freemarkerVariables">
> <map>
> <entry key="html_escape" value-ref="fmHtmlEscape"/>
> </map>
> </property>
> </bean>
>
> <bean id="fmHtmlEscape"
> class="freemarker.template.utility.HtmlEscape"/>
>
> In my template, I have:
>
> <#assign test = "<strong>stuff</strong>">
> test = ${test}
>
> And it prints out stuff in bold. If I use ${test?html}, it does what
> I want.
> I'd like to invert the logic, so escaping is the default and ?html
> turns off
> escaping. I'm not as concerned about turning off escaping as I am
> about
> making escaping the default.
>
> Thanks,
>
> Matt
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
FreeMarker-user mailing list
FreeMarker-user@...
https://lists.sourceforge.net/lists/listinfo/freemarker-user
[#escape x as x?html]
...
[/#escape]
block. To temporarily turn escaping off you can use [#noescape]
blocks. Note also that [#escape] is actually evaluated at parse time,
therefore its scoping is lexical. What this means in practical terms
is that ${...} interpolations are automatically escaped if they occur
in the template source file enclosed in [#escape] block. This is
significant in case of macros, as escaping happens at the macro
definition site, and is independent of the location it is later called
from. This means that:
[#escape x as x?html]
[#macro x y]
${y}
[/#macro]
[/#escape]
[@x "<"/]
will output < while
[#macro x y]
${y}
[/#macro]
[#escape x as x?html]
[@x "<"/]
[/#escape]
will output <.
Attila.
On 2007.11.28., at 18:54, mraible wrote:
>
> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
> in my
> application. Is this possible? I tried the following with Spring
> MVC, but it
> doesn't seem to work:
>
> <bean id="freemarkerConfig"
> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer
> ">
> <property name="templateLoaderPath" value="/"/>
> <property name="freemarkerSettings">
> <props>
> <prop key="datetime_format">MM/dd/yyyy</prop>
> <prop key="number_format">0.######</prop>
> </props>
> </property>
> <property name="freemarkerVariables">
> <map>
> <entry key="html_escape" value-ref="fmHtmlEscape"/>
> </map>
> </property>
> </bean>
>
> <bean id="fmHtmlEscape"
> class="freemarker.template.utility.HtmlEscape"/>
>
> In my template, I have:
>
> <#assign test = "<strong>stuff</strong>">
> test = ${test}
>
> And it prints out stuff in bold. If I use ${test?html}, it does what
> I want.
> I'd like to invert the logic, so escaping is the default and ?html
> turns off
> escaping. I'm not as concerned about turning off escaping as I am
> about
> making escaping the default.
>
> Thanks,
>
> Matt
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
FreeMarker-user mailing list
FreeMarker-user@...
https://lists.sourceforge.net/lists/listinfo/freemarker-user
« Return to Thread: Is it possible to make ?html the default?
| Free embeddable forum powered by Nabble | Forum Help |
