« Return to Thread: Is it possible to make ?html the default?
Re: Is it possible to make ?html the default?
by Daniel Dekany
::
Rate this Message:
Guys, this is again something that was told for multiple times here
(by me mostly... OK, maybe solely :) ), so I'm not happy that we again
speak about dirty workarounds: automatic escaping is crucial for a
template language. #escape is not enough, because it is not entirely
automatic. In FMPP I used a special TemplateLoader to achieve at least
a poor man's automatic escaping; it inserts the required directive
calls into the source code (not directly into the AST). But it doesn't
work perfectly since as I insert something before the original source
code, the line and/or column numbers will be displaced in the error
messages, and then don't mention errors in the inserted parts. This
error location displacement problem hinders all other template
preprocessing tricks as well (like transparent replacing of HTML tags
with directive calls, that I have used one for automating form
handling), and the solution (which was, BTW, already proposed a few
years ago) would be if you could specify a location mapper (a function
the maps locations to locations) in the result of the TemplateLoader.
BUT, back to the original topic, automatic escaping should be just a
configuration setting that maps template path patterns directly to a
TemplateMethodModel or to an "escpaing specification" in FTL (like "x
as x?html"), not a template preprocessing trick. Yeah, we have a
problem here, as FreeMarker wasn't auto-escaping by default from the
beginning, so now we have to fiddle with patterns to exclude the
templates that rather use manual escaping... (Anyway, the whole
config. API of FM is such a... or actually the whole API, but the
config. API is that I think is the most problematic in practice. As I
said, if there is serious interest and "scratch the itch" enthusiasm
and true willingness to lift serious weights, I can create a
more-or-less template language independent template engine API that
would be much more powerful, and that we could use FM as template
(after some adjustments in the language semantic though)... Although
of course I'm more interested in a more modern template language then,
but as multiple template languages can work together in a a well
designed template engine..)
Wednesday, November 28, 2007, 8:51:04 PM, Jonathan Revusky wrote:
> On Nov 28, 2007 8:08 PM, Matt Raible <matt@...> wrote:
>> If I was to modify FreeMarker to support escaping by default - where
>> would I start?
>
> If you actually want to do this, you could tweak
> src/freemarker/core/DollarVariable.java. Where you have this method,
> you could replace this with something that does whatever to the string
> before outputting it.So, where you have:
>
> void accept(Environment env) throws TemplateException, IOException {
> env.getOut().write(escapedExpression.getStringValue(env));
> }
>
> this could be replaced by:
>
> void accept(Environment env) throws TemplateException, IOException {
> String output = escapedExpression.getStringValue(env);
>
> env.getOut().write(freemarker.template.utility.StringUtil.HTMLEnc(output));
> }
>
>
> And then rebuild to have your custom freemarker.jar. that does this.
>
> Whether this is really desirable, I kind of doubt, but I figured it
> was right and proper to answer your question. :-)
>
> The newer 2.4 codebase has in place an API for writing your own FTL
> AST tree visitor so that you could walk the tree and do escaping in a
> separate step after parsing the template. In fact, come to think of
> it, in 2.4, I reworked the escaping so that it actually is an
> application of that tree visitor API. Basically, all that stufffis
> part of what is supposed to become a fuller API for tool developers to
> use. But I assume you're using 2.3. since we haven't had even a 2.4
> prerelease yet... We really should get going on this again. I know,
> it's mostly my fault, but there really are a lot of cool things in 2.4
> that have to be pushed out there.
>
> Regards,
>
> Jonathan
>
>
>
>>
>> Thanks,
>>
>> Matt
>>
>>
>> On Nov 28, 2007, at 12:01 PM, Attila Szegedi wrote:
>>
>> > The closest you can achieve is to enclose each template body into a
>> >
>> > [#escape x as x?html]
>> > ...
>> > [/#escape]
>> >
>> > block. To temporarily turn escaping off you can use [#noescape]
>> > blocks. Note also that [#escape] is actually evaluated at parse time,
>> > therefore its scoping is lexical. What this means in practical terms
>> > is that ${...} interpolations are automatically escaped if they occur
>> > in the template source file enclosed in [#escape] block. This is
>> > significant in case of macros, as escaping happens at the macro
>> > definition site, and is independent of the location it is later called
>> > from. This means that:
>> >
>> > [#escape x as x?html]
>> > [#macro x y]
>> > ${y}
>> > [/#macro]
>> > [/#escape]
>> >
>> > [@x "<"/]
>> >
>> > will output < while
>> >
>> > [#macro x y]
>> > ${y}
>> > [/#macro]
>> >
>> > [#escape x as x?html]
>> > [@x "<"/]
>> > [/#escape]
>> >
>> > will output <.
>> >
>> > Attila.
>> >
>> > On 2007.11.28., at 18:54, mraible wrote:
>> >
>> >>
>> >> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
>> >> in my
>> >> application. Is this possible? I tried the following with Spring
>> >> MVC, but it
>> >> doesn't seem to work:
>> >>
>> >> <bean id="freemarkerConfig"
>> >> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
>> >> igurer
>> >> ">
>> >> <property name="templateLoaderPath" value="/"/>
>> >> <property name="freemarkerSettings">
>> >> <props>
>> >> <prop key="datetime_format">MM/dd/yyyy</prop>
>> >> <prop key="number_format">0.######</prop>
>> >> </props>
>> >> </property>
>> >> <property name="freemarkerVariables">
>> >> <map>
>> >> <entry key="html_escape" value-ref="fmHtmlEscape"/>
>> >> </map>
>> >> </property>
>> >> </bean>
>> >>
>> >> <bean id="fmHtmlEscape"
>> >> class="freemarker.template.utility.HtmlEscape"/>
>> >>
>> >> In my template, I have:
>> >>
>> >> <#assign test = "<strong>stuff</strong>">
>> >> test = ${test}
>> >>
>> >> And it prints out stuff in bold. If I use ${test?html}, it does what
>> >> I want.
>> >> I'd like to invert the logic, so escaping is the default and ?html
>> >> turns off
>> >> escaping. I'm not as concerned about turning off escaping as I am
>> >> about
>> >> making escaping the default.
>> >>
>> >> Thanks,
>> >>
>> >> Matt
--
Best regards,
Daniel Dekany
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
FreeMarker-user mailing list
FreeMarker-user@...
https://lists.sourceforge.net/lists/listinfo/freemarker-user
(by me mostly... OK, maybe solely :) ), so I'm not happy that we again
speak about dirty workarounds: automatic escaping is crucial for a
template language. #escape is not enough, because it is not entirely
automatic. In FMPP I used a special TemplateLoader to achieve at least
a poor man's automatic escaping; it inserts the required directive
calls into the source code (not directly into the AST). But it doesn't
work perfectly since as I insert something before the original source
code, the line and/or column numbers will be displaced in the error
messages, and then don't mention errors in the inserted parts. This
error location displacement problem hinders all other template
preprocessing tricks as well (like transparent replacing of HTML tags
with directive calls, that I have used one for automating form
handling), and the solution (which was, BTW, already proposed a few
years ago) would be if you could specify a location mapper (a function
the maps locations to locations) in the result of the TemplateLoader.
BUT, back to the original topic, automatic escaping should be just a
configuration setting that maps template path patterns directly to a
TemplateMethodModel or to an "escpaing specification" in FTL (like "x
as x?html"), not a template preprocessing trick. Yeah, we have a
problem here, as FreeMarker wasn't auto-escaping by default from the
beginning, so now we have to fiddle with patterns to exclude the
templates that rather use manual escaping... (Anyway, the whole
config. API of FM is such a... or actually the whole API, but the
config. API is that I think is the most problematic in practice. As I
said, if there is serious interest and "scratch the itch" enthusiasm
and true willingness to lift serious weights, I can create a
more-or-less template language independent template engine API that
would be much more powerful, and that we could use FM as template
(after some adjustments in the language semantic though)... Although
of course I'm more interested in a more modern template language then,
but as multiple template languages can work together in a a well
designed template engine..)
Wednesday, November 28, 2007, 8:51:04 PM, Jonathan Revusky wrote:
> On Nov 28, 2007 8:08 PM, Matt Raible <matt@...> wrote:
>> If I was to modify FreeMarker to support escaping by default - where
>> would I start?
>
> If you actually want to do this, you could tweak
> src/freemarker/core/DollarVariable.java. Where you have this method,
> you could replace this with something that does whatever to the string
> before outputting it.So, where you have:
>
> void accept(Environment env) throws TemplateException, IOException {
> env.getOut().write(escapedExpression.getStringValue(env));
> }
>
> this could be replaced by:
>
> void accept(Environment env) throws TemplateException, IOException {
> String output = escapedExpression.getStringValue(env);
>
> env.getOut().write(freemarker.template.utility.StringUtil.HTMLEnc(output));
> }
>
>
> And then rebuild to have your custom freemarker.jar. that does this.
>
> Whether this is really desirable, I kind of doubt, but I figured it
> was right and proper to answer your question. :-)
>
> The newer 2.4 codebase has in place an API for writing your own FTL
> AST tree visitor so that you could walk the tree and do escaping in a
> separate step after parsing the template. In fact, come to think of
> it, in 2.4, I reworked the escaping so that it actually is an
> application of that tree visitor API. Basically, all that stufffis
> part of what is supposed to become a fuller API for tool developers to
> use. But I assume you're using 2.3. since we haven't had even a 2.4
> prerelease yet... We really should get going on this again. I know,
> it's mostly my fault, but there really are a lot of cool things in 2.4
> that have to be pushed out there.
>
> Regards,
>
> Jonathan
>
>
>
>>
>> Thanks,
>>
>> Matt
>>
>>
>> On Nov 28, 2007, at 12:01 PM, Attila Szegedi wrote:
>>
>> > The closest you can achieve is to enclose each template body into a
>> >
>> > [#escape x as x?html]
>> > ...
>> > [/#escape]
>> >
>> > block. To temporarily turn escaping off you can use [#noescape]
>> > blocks. Note also that [#escape] is actually evaluated at parse time,
>> > therefore its scoping is lexical. What this means in practical terms
>> > is that ${...} interpolations are automatically escaped if they occur
>> > in the template source file enclosed in [#escape] block. This is
>> > significant in case of macros, as escaping happens at the macro
>> > definition site, and is independent of the location it is later called
>> > from. This means that:
>> >
>> > [#escape x as x?html]
>> > [#macro x y]
>> > ${y}
>> > [/#macro]
>> > [/#escape]
>> >
>> > [@x "<"/]
>> >
>> > will output < while
>> >
>> > [#macro x y]
>> > ${y}
>> > [/#macro]
>> >
>> > [#escape x as x?html]
>> > [@x "<"/]
>> > [/#escape]
>> >
>> > will output <.
>> >
>> > Attila.
>> >
>> > On 2007.11.28., at 18:54, mraible wrote:
>> >
>> >>
>> >> I'd like to turn on HTML/XML escaping by default to avoid XSS issues
>> >> in my
>> >> application. Is this possible? I tried the following with Spring
>> >> MVC, but it
>> >> doesn't seem to work:
>> >>
>> >> <bean id="freemarkerConfig"
>> >> class="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
>> >> igurer
>> >> ">
>> >> <property name="templateLoaderPath" value="/"/>
>> >> <property name="freemarkerSettings">
>> >> <props>
>> >> <prop key="datetime_format">MM/dd/yyyy</prop>
>> >> <prop key="number_format">0.######</prop>
>> >> </props>
>> >> </property>
>> >> <property name="freemarkerVariables">
>> >> <map>
>> >> <entry key="html_escape" value-ref="fmHtmlEscape"/>
>> >> </map>
>> >> </property>
>> >> </bean>
>> >>
>> >> <bean id="fmHtmlEscape"
>> >> class="freemarker.template.utility.HtmlEscape"/>
>> >>
>> >> In my template, I have:
>> >>
>> >> <#assign test = "<strong>stuff</strong>">
>> >> test = ${test}
>> >>
>> >> And it prints out stuff in bold. If I use ${test?html}, it does what
>> >> I want.
>> >> I'd like to invert the logic, so escaping is the default and ?html
>> >> turns off
>> >> escaping. I'm not as concerned about turning off escaping as I am
>> >> about
>> >> making escaping the default.
>> >>
>> >> Thanks,
>> >>
>> >> Matt
--
Best regards,
Daniel Dekany
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
FreeMarker-user mailing list
FreeMarker-user@...
https://lists.sourceforge.net/lists/listinfo/freemarker-user
« Return to Thread: Is it possible to make ?html the default?
| Free embeddable forum powered by Nabble | Forum Help |
