FreeMarker
 » 
freemarker-user

 « Return to Thread: Is it possible to make ?html the default?

Re: Is it possible to make ?html the default?

by Jonathan Revusky-3 :: Rate this Message:

Reply to Author | View in Thread

On Nov 28, 2007 8:08 PM, Matt Raible <matt@...> wrote:
> If I was to modify FreeMarker to support escaping by default - where
> would I start?

If you actually want to do this, you could tweak
src/freemarker/core/DollarVariable.java. Where you have this method,
you could replace this with something that does whatever to the string
before outputting it.So, where you have:

void accept(Environment env) throws TemplateException, IOException {
        env.getOut().write(escapedExpression.getStringValue(env));
}

this could be replaced by:

void accept(Environment env) throws TemplateException, IOException {
        String output = escapedExpression.getStringValue(env);
        env.getOut().write(freemarker.template.utility.StringUtil.HTMLEnc(output));
}


And then rebuild to have your custom freemarker.jar. that does this.

Whether this is really desirable, I kind of doubt, but I figured it
was right and proper to answer your question. :-)

The newer 2.4 codebase has in place an API for writing your own FTL
AST tree visitor so that you could walk the tree and do escaping in a
separate step after parsing the template. In fact, come to think of
it, in 2.4, I reworked the escaping so that it actually is an
application of that tree visitor API. Basically, all that stufffis
part of what is supposed to become a fuller API for tool developers to
use. But I assume you're using 2.3. since we haven't had even a 2.4
prerelease yet... We really should get going on this again. I know,
it's mostly my fault, but there really are a lot of cool things in 2.4
that have to be pushed out there.

Regards,

Jonathan



>
> Thanks,
>
> Matt
>
>
> On Nov 28, 2007, at 12:01 PM, Attila Szegedi wrote:
>
> > The closest you can achieve is to enclose each template body into a
> >
> > [#escape x as x?html]
> > ...
> > [/#escape]
> >
> > block. To temporarily turn escaping off you can use [#noescape]
> > blocks. Note also that [#escape] is actually evaluated at parse time,
> > therefore its scoping is lexical. What this means in practical terms
> > is that ${...} interpolations are automatically escaped if they occur
> > in the template source file enclosed in [#escape] block. This is
> > significant in case of macros, as escaping happens at the macro
> > definition site, and is independent of the location it is later called
> > from. This means that:
> >
> > [#escape x as x?html]
> > [#macro x y]
> > ${y}
> > [/#macro]
> > [/#escape]
> >
> > [@x "<"/]
> >
> > will output < while
> >
> > [#macro x y]
> > ${y}
> > [/#macro]
> >
> > [#escape x as x?html]
> > [@x "<"/]
> > [/#escape]
> >
> > will output <.
> >
> > Attila.
> >
> > On 2007.11.28., at 18:54, mraible wrote:
> >
> >>
> >> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
> >> in my
> >> application. Is this possible? I tried the following with Spring
> >> MVC, but it
> >> doesn't seem to work:
> >>
> >>    <bean id="freemarkerConfig"
> >> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
> >> igurer
> >> ">
> >>        <property name="templateLoaderPath" value="/"/>
> >>        <property name="freemarkerSettings">
> >>            <props>
> >>                <prop key="datetime_format">MM/dd/yyyy</prop>
> >>                <prop key="number_format">0.######</prop>
> >>            </props>
> >>        </property>
> >>        <property name="freemarkerVariables">
> >>            <map>
> >>                <entry key="html_escape" value-ref="fmHtmlEscape"/>
> >>            </map>
> >>        </property>
> >>    </bean>
> >>
> >>    <bean id="fmHtmlEscape"
> >> class="freemarker.template.utility.HtmlEscape"/>
> >>
> >> In my template, I have:
> >>
> >> <#assign test = "<strong>stuff</strong>">
> >> test = ${test}
> >>
> >> And it prints out stuff in bold. If I use ${test?html}, it does what
> >> I want.
> >> I'd like to invert the logic, so escaping is the default and ?html
> >> turns off
> >> escaping. I'm not as concerned about turning off escaping as I am
> >> about
> >> making escaping the default.
> >>
> >> Thanks,
> >>
> >> Matt
> >
> >
> >
> >
> > ----------------------------------------------------------------------
> > ---
> > SF.Net email is sponsored by: The Future of Linux Business White Paper
> > from Novell.  From the desktop to the data center, Linux is going
> > mainstream.  Let it simplify your IT future.
> > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> > _______________________________________________
> > FreeMarker-user mailing list
> > FreeMarker-user@...
> > https://lists.sourceforge.net/lists/listinfo/freemarker-user
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell.  From the desktop to the data center, Linux is going
> mainstream.  Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> FreeMarker-user mailing list
> FreeMarker-user@...
> https://lists.sourceforge.net/lists/listinfo/freemarker-user
>

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
FreeMarker-user mailing list
FreeMarker-user@...
https://lists.sourceforge.net/lists/listinfo/freemarker-user

 « Return to Thread: Is it possible to make ?html the default?

Free embeddable forum powered by Nabble Forum Help