Guys, this is again something that was told for multiple times here
(by me mostly... OK, maybe solely :) ), so I'm not happy that we again
speak about dirty workarounds: automatic escaping is crucial for a
template language. #escape is not enough, because it is not entirely
automatic. In FMPP I used a special TemplateLoader to achieve at least
a poor man's automatic escaping; it inserts the required directive
calls into the source code (not directly into the AST). But it doesn't
work perfectly since as I insert something before the original source
code, the line and/or column numbers will be displaced in the error
messages, and then don't mention errors in the inserted parts. This
error location displacement problem hinders all other template
preprocessing tricks as well (like transparent replacing of HTML tags
with directive calls, that I have used one for automating form
handling), and the solution (which was, BTW, already proposed a few
years ago) would be if you could specify a location mapper (a function
the maps locations to locations) in the result of the TemplateLoader.
BUT, back to the original topic, automatic escaping should be just a
configuration setting that maps template path patterns directly to a
TemplateMethodModel or to an "escpaing specification" in FTL (like "x
as x?html"), not a template preprocessing trick. Yeah, we have a
problem here, as FreeMarker wasn't auto-escaping by default from the
beginning, so now we have to fiddle with patterns to exclude the
templates that rather use manual escaping... (Anyway, the whole
config. API of FM is such a... or actually the whole API, but the
config. API is that I think is the most problematic in practice. As I
said, if there is serious interest and "scratch the itch" enthusiasm
and true willingness to lift serious weights, I can create a
more-or-less template language independent template engine API that
would be much more powerful, and that we could use FM as template
(after some adjustments in the language semantic though)... Although
of course I'm more interested in a more modern template language then,
but as multiple template languages can work together in a a well
designed template engine..)
Post by Jonathan RevuskyPost by Matt RaibleIf I was to modify FreeMarker to support escaping by default - where
would I start?
If you actually want to do this, you could tweak
src/freemarker/core/DollarVariable.java. Where you have this method,
you could replace this with something that does whatever to the string
void accept(Environment env) throws TemplateException, IOException {
env.getOut().write(escapedExpression.getStringValue(env));
}
void accept(Environment env) throws TemplateException, IOException {
String output = escapedExpression.getStringValue(env);
env.getOut().write(freemarker.template.utility.StringUtil.HTMLEnc(output));
}
And then rebuild to have your custom freemarker.jar. that does this.
Whether this is really desirable, I kind of doubt, but I figured it
was right and proper to answer your question. :-)
The newer 2.4 codebase has in place an API for writing your own FTL
AST tree visitor so that you could walk the tree and do escaping in a
separate step after parsing the template. In fact, come to think of
it, in 2.4, I reworked the escaping so that it actually is an
application of that tree visitor API. Basically, all that stufffis
part of what is supposed to become a fuller API for tool developers to
use. But I assume you're using 2.3. since we haven't had even a 2.4
prerelease yet... We really should get going on this again. I know,
it's mostly my fault, but there really are a lot of cool things in 2.4
that have to be pushed out there.
Regards,
Jonathan
Post by Matt RaibleThanks,
Matt
Post by Attila SzegediThe closest you can achieve is to enclose each template body into a
[#escape x as x?html]
...
[/#escape]
block. To temporarily turn escaping off you can use [#noescape]
blocks. Note also that [#escape] is actually evaluated at parse time,
therefore its scoping is lexical. What this means in practical terms
is that ${...} interpolations are automatically escaped if they occur
in the template source file enclosed in [#escape] block. This is
significant in case of macros, as escaping happens at the macro
definition site, and is independent of the location it is later called
[#escape x as x?html]
[#macro x y]
${y}
[/#macro]
[/#escape]
will output < while
[#macro x y]
${y}
[/#macro]
[#escape x as x?html]
[/#escape]
will output <.
Attila.
Post by mraibleI'd like to turn on HTML/XML escaping by default to avoid XSS issues in my
application. Is this possible? I tried the following with Spring MVC, but it
<bean id="freemarkerConfig"
class="org.springframework.web.servlet.view.freemarker.FreeMarkerConf
igurer
">
<property name="templateLoaderPath" value="/"/>
<property name="freemarkerSettings">
<props>
<prop key="datetime_format">MM/dd/yyyy</prop>
<prop key="number_format">0.######</prop>
</props>
</property>
<property name="freemarkerVariables">
<map>
<entry key="html_escape" value-ref="fmHtmlEscape"/>
</map>
</property>
</bean>
<bean id="fmHtmlEscape"
class="freemarker.template.utility.HtmlEscape"/>
<#assign test = "<strong>stuff</strong>">
test = ${test}
And it prints out stuff in bold. If I use ${test?html}, it does what I want.
I'd like to invert the logic, so escaping is the default and ?html turns off
escaping. I'm not as concerned about turning off escaping as I am about
making escaping the default.
Thanks,
Matt
--
Best regards,
Daniel Dekany