Re: Is it possible to make ?html the default?

> The closest you can achieve is to enclose each template body into a
>
> [#escape x as x?html]
> ...
> [/#escape]
>
> block. To temporarily turn escaping off you can use [#noescape]
> blocks. Note also that [#escape] is actually evaluated at parse time,
> therefore its scoping is lexical. What this means in practical terms
> is that ${...} interpolations are automatically escaped if they occur
> in the template source file enclosed in [#escape] block. This is
> significant in case of macros, as escaping happens at the macro
> definition site, and is independent of the location it is later called
> from. This means that:
>
> [#escape x as x?html]
> [#macro x y]
> ${y}
> [/#macro]
> [/#escape]
>
> [@x "<"/]
>
> will output < while
>
> [#macro x y]
> ${y}
> [/#macro]
>
> [#escape x as x?html]
> [@x "<"/]
> [/#escape]
>
> will output <.
>
> Attila.
>
> On 2007.11.28., at 18:54, mraible wrote:
>
>>
>> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
>> in my
>> application. Is this possible? I tried the following with Spring
>> MVC, but it
>> doesn't seem to work:
>>
>>    <bean id="freemarkerConfig"
>> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
>> igurer
>> ">
>>        <property name="templateLoaderPath" value="/"/>
>>        <property name="freemarkerSettings">
>>            <props>
>>                <prop key="datetime_format">MM/dd/yyyy</prop>
>>                <prop key="number_format">0.######</prop>
>>            </props>
>>        </property>
>>        <property name="freemarkerVariables">
>>            <map>
>>                <entry key="html_escape" value-ref="fmHtmlEscape"/>
>>            </map>
>>        </property>
>>    </bean>
>>
>>    <bean id="fmHtmlEscape"
>> class="freemarker.template.utility.HtmlEscape"/>
>>
>> In my template, I have:
>>
>> <#assign test = "<strong>stuff</strong>">
>> test = ${test}
>>
>> And it prints out stuff in bold. If I use ${test?html}, it does what
>> I want.
>> I'd like to invert the logic, so escaping is the default and ?html
>> turns off
>> escaping. I'm not as concerned about turning off escaping as I am
>> about
>> making escaping the default.
>>
>> Thanks,
>>
>> Matt
>
>
>
>
> ----------------------------------------------------------------------
> ---
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell.  From the desktop to the data center, Linux is going
> mainstream.  Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> FreeMarker-user mailing list
> FreeMarker-user@...
> https://lists.sourceforge.net/lists/listinfo/freemarker-user