You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by "Jarkko Viinamäki (JIRA)" <de...@velocity.apache.org> on 2009/02/21 09:48:01 UTC
[jira] Created: (VELOCITY-705) Dynamic VTL reference modification
directive
Dynamic VTL reference modification directive
--------------------------------------------
Key: VELOCITY-705
URL: https://issues.apache.org/jira/browse/VELOCITY-705
Project: Velocity
Issue Type: New Feature
Components: Engine
Reporter: Jarkko Viinamäki
Currently EventHandlers are defined in velocity.properties like:
eventhandler.referenceinsertion.class =
The problem is that AFAIK this handler is active in every reference evaluation (and every template). I propose a dynamic setting that can be chained and turned on and off during template rendering.
Syntax might be something like:
#filter($myReferenceModifier)
any VTL here ($foo type references are modified using the class referred by $myReferenceModifier)
#end
The basic idea is that you put some classes that implement e.g. ReferenceInsertionEventHandler interface to the Context and then you can use those to filter/modify some selected parts of the template. #filter directive should allow nesting (one #filter directive contain another #filter directive).
It's probably also necessary to disable filtering for selected elements inside the filter block.
It might be also useful to be able to limit the amount of reference names that are passed to the filter. Like:
#filter($myReferenceModifier ['a', 'foo', 'html'])
----
Use Case for this feature is that often you need to escape form values and other elements to avoid XSS attacks etc. Escaping all references in all templates seems like an overkill (and isn't very performance friendly either). This feature would allow you to do escaping dynamically only for selected elements.
What do you think?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org
[jira] Commented: (VELOCITY-705) Dynamic VTL reference modification
directive
Posted by "Nathan Bubna (JIRA)" <de...@velocity.apache.org>.
[ https://issues.apache.org/jira/browse/VELOCITY-705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12677776#action_12677776 ]
Nathan Bubna commented on VELOCITY-705:
---------------------------------------
These ideas sound pretty good so far. It would be great to something more user-friendly and focused/focusable than EventHandlers, which i've never been thrilled with and didn't even use before Will's big upgrade to them in 1.5.
The writeReference(String) addition is nice, but i'd love to have filters for #filter be able to get ahold of references before toString() (or render(context, writer) is called on them. For instance, a filter that formatted number references would have to parse the string back to a number before formatting back into the desired string form. This probably can't be done at the writer level.
> Dynamic VTL reference modification directive
> --------------------------------------------
>
> Key: VELOCITY-705
> URL: https://issues.apache.org/jira/browse/VELOCITY-705
> Project: Velocity
> Issue Type: New Feature
> Components: Engine
> Reporter: Jarkko Viinamäki
>
> Currently EventHandlers are defined in velocity.properties like:
> eventhandler.referenceinsertion.class =
> The problem is that AFAIK this handler is active in every reference evaluation (and every template). I propose a dynamic setting that can be chained and turned on and off during template rendering.
> Syntax might be something like:
> #filter($myReferenceModifier)
> any VTL here ($foo type references are modified using the class referred by $myReferenceModifier)
> #end
> The basic idea is that you put some classes that implement e.g. ReferenceInsertionEventHandler interface to the Context and then you can use those to filter/modify some selected parts of the template. #filter directive should allow nesting (one #filter directive contain another #filter directive).
> It's probably also necessary to disable filtering for selected elements inside the filter block.
> It might be also useful to be able to limit the amount of reference names that are passed to the filter. Like:
> #filter($myReferenceModifier ['a', 'foo', 'html'])
> ----
> Use Case for this feature is that often you need to escape form values and other elements to avoid XSS attacks etc. Escaping all references in all templates seems like an overkill (and isn't very performance friendly either). This feature would allow you to do escaping dynamically only for selected elements.
> What do you think?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org
[jira] Commented: (VELOCITY-705) Dynamic VTL reference modification
directive
Posted by "Byron Foster (JIRA)" <de...@velocity.apache.org>.
[ https://issues.apache.org/jira/browse/VELOCITY-705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12677552#action_12677552 ]
Byron Foster commented on VELOCITY-705:
---------------------------------------
There is the notion of the Context event handler which is a little more dynamic, but unfortunately it is terribly inefficient.
In the 2.0exp branch I added a simple interface for writers just for this type of thing. the interface add a writeReference(String str) method. If the writer passed to Velocity implements this interface then it calls this method to write references instead of write(String). This provided the ability to intercept reference rendering at the writer level.
I implemented a directive called #escape that provides much of the functionality you describe and takes advantage of the above writer interface. you call it like #escape(xml) ... #end. The escaping behavior operates in a stack of course so you can do this type of thing:
#escape(xml)
...
#escape(url)
....
#end
#escape(none)
....
#end
...
#end
In reality I do web stuff, so escaping xml is on by default. Anyway, i was going to submit it once I had test driven it for a while, and liked how it worked. 2.0 may not work for you :), but you're welcome to take a look. Making it work for 1.7 wouldn't be a big deal. I was thinking of also implementing the ability to take a Map as a parameter which maps chars to escape sequences. so you could call it like #escape($myesc) where $myesc contains the map.
> Dynamic VTL reference modification directive
> --------------------------------------------
>
> Key: VELOCITY-705
> URL: https://issues.apache.org/jira/browse/VELOCITY-705
> Project: Velocity
> Issue Type: New Feature
> Components: Engine
> Reporter: Jarkko Viinamäki
>
> Currently EventHandlers are defined in velocity.properties like:
> eventhandler.referenceinsertion.class =
> The problem is that AFAIK this handler is active in every reference evaluation (and every template). I propose a dynamic setting that can be chained and turned on and off during template rendering.
> Syntax might be something like:
> #filter($myReferenceModifier)
> any VTL here ($foo type references are modified using the class referred by $myReferenceModifier)
> #end
> The basic idea is that you put some classes that implement e.g. ReferenceInsertionEventHandler interface to the Context and then you can use those to filter/modify some selected parts of the template. #filter directive should allow nesting (one #filter directive contain another #filter directive).
> It's probably also necessary to disable filtering for selected elements inside the filter block.
> It might be also useful to be able to limit the amount of reference names that are passed to the filter. Like:
> #filter($myReferenceModifier ['a', 'foo', 'html'])
> ----
> Use Case for this feature is that often you need to escape form values and other elements to avoid XSS attacks etc. Escaping all references in all templates seems like an overkill (and isn't very performance friendly either). This feature would allow you to do escaping dynamically only for selected elements.
> What do you think?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org
[jira] Commented: (VELOCITY-705) Dynamic VTL reference modification
directive
Posted by "Byron Foster (JIRA)" <de...@velocity.apache.org>.
[ https://issues.apache.org/jira/browse/VELOCITY-705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12677902#action_12677902 ]
Byron Foster commented on VELOCITY-705:
---------------------------------------
Yea, the writeReference method was really specifically suited for escaping, given that it seems it should be the last thing performed. For example you may have a date format which produces "April 1 > 3000" which would then need to be escaped in the case of XML.
> Dynamic VTL reference modification directive
> --------------------------------------------
>
> Key: VELOCITY-705
> URL: https://issues.apache.org/jira/browse/VELOCITY-705
> Project: Velocity
> Issue Type: New Feature
> Components: Engine
> Reporter: Jarkko Viinamäki
>
> Currently EventHandlers are defined in velocity.properties like:
> eventhandler.referenceinsertion.class =
> The problem is that AFAIK this handler is active in every reference evaluation (and every template). I propose a dynamic setting that can be chained and turned on and off during template rendering.
> Syntax might be something like:
> #filter($myReferenceModifier)
> any VTL here ($foo type references are modified using the class referred by $myReferenceModifier)
> #end
> The basic idea is that you put some classes that implement e.g. ReferenceInsertionEventHandler interface to the Context and then you can use those to filter/modify some selected parts of the template. #filter directive should allow nesting (one #filter directive contain another #filter directive).
> It's probably also necessary to disable filtering for selected elements inside the filter block.
> It might be also useful to be able to limit the amount of reference names that are passed to the filter. Like:
> #filter($myReferenceModifier ['a', 'foo', 'html'])
> ----
> Use Case for this feature is that often you need to escape form values and other elements to avoid XSS attacks etc. Escaping all references in all templates seems like an overkill (and isn't very performance friendly either). This feature would allow you to do escaping dynamically only for selected elements.
> What do you think?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org