Re: Is it possible to make ?html the default?

> If I was to modify FreeMarker to support escaping by default - where
> would I start?
>
> Thanks,
>
> Matt
>
> On Nov 28, 2007, at 12:01 PM, Attila Szegedi wrote:
>
>> The closest you can achieve is to enclose each template body into a
>>
>> [#escape x as x?html]
>> ...
>> [/#escape]
>>
>> block. To temporarily turn escaping off you can use [#noescape]
>> blocks. Note also that [#escape] is actually evaluated at parse time,
>> therefore its scoping is lexical. What this means in practical terms
>> is that ${...} interpolations are automatically escaped if they occur
>> in the template source file enclosed in [#escape] block. This is
>> significant in case of macros, as escaping happens at the macro
>> definition site, and is independent of the location it is later  
>> called
>> from. This means that:
>>
>> [#escape x as x?html]
>> [#macro x y]
>> ${y}
>> [/#macro]
>> [/#escape]
>>
>> [@x "<"/]
>>
>> will output < while
>>
>> [#macro x y]
>> ${y}
>> [/#macro]
>>
>> [#escape x as x?html]
>> [@x "<"/]
>> [/#escape]
>>
>> will output <.
>>
>> Attila.
>>
>> On 2007.11.28., at 18:54, mraible wrote:
>>
>>>
>>> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
>>> in my
>>> application. Is this possible? I tried the following with Spring
>>> MVC, but it
>>> doesn't seem to work:
>>>
>>>   <bean id="freemarkerConfig"
>>> class
>>> ="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
>>> igurer
>>> ">
>>>       <property name="templateLoaderPath" value="/"/>
>>>       <property name="freemarkerSettings">
>>>           <props>
>>>               <prop key="datetime_format">MM/dd/yyyy</prop>
>>>               <prop key="number_format">0.######</prop>
>>>           </props>
>>>       </property>
>>>       <property name="freemarkerVariables">
>>>           <map>
>>>               <entry key="html_escape" value-ref="fmHtmlEscape"/>
>>>           </map>
>>>       </property>
>>>   </bean>
>>>
>>>   <bean id="fmHtmlEscape"
>>> class="freemarker.template.utility.HtmlEscape"/>
>>>
>>> In my template, I have:
>>>
>>> <#assign test = "<strong>stuff</strong>">
>>> test = ${test}
>>>
>>> And it prints out stuff in bold. If I use ${test?html}, it does what
>>> I want.
>>> I'd like to invert the logic, so escaping is the default and ?html
>>> turns off
>>> escaping. I'm not as concerned about turning off escaping as I am
>>> about
>>> making escaping the default.
>>>
>>> Thanks,
>>>
>>> Matt
>>
>>
>>
>>
>> ----------------------------------------------------------------------
>> ---
>> SF.Net email is sponsored by: The Future of Linux Business White  
>> Paper
>> from Novell.  From the desktop to the data center, Linux is going
>> mainstream.  Let it simplify your IT future.
>> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
>> _______________________________________________
>> FreeMarker-user mailing list
>> FreeMarker-user@...
>> https://lists.sourceforge.net/lists/listinfo/freemarker-user
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell.  From the desktop to the data center, Linux is going
> mainstream.  Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> FreeMarker-user mailing list
> FreeMarker-user@...
> https://lists.sourceforge.net/lists/listinfo/freemarker-user