You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2021/09/08 12:59:27 UTC
Freemarker auto-escaping
Hi,
Long ago we opened https://issues.apache.org/jira/browse/OFBIZ-7675 for that
Few days ago Dániel Dékány (VP and main contributor to Apache Freemarker project) wrote at FREEMARKER-189 (https://s.apache.org/fitxs):
<<I strongly recommend using HTML auto-escaping instead of ?html (see in the Manual). [...] Then people can't accidentally forget adding them....>>
I was reluctant do use all auto-escaping features. But I believe we should follow Forrest Rae
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=fbr%4014x.net>'s suggestion at OFBIZ-7041
<https://issues.apache.org/jira/browse/OFBIZ-7041> that we turn Freemarker autoescaping on. Quoting him there:
<<This new version of FreeMarker includes auto-escaping and output formats. The <#escape> directive has been deprecated. Notice the comment at the
very end of this page:
"FreeMarker automatically escapes all values printed ... if it's properly configured (that's the responsibility of the programmers; see here how
<http://freemarker.org/docs/pgui_config_outputformatsautoesc.html>)."
Would be good to turn autoescaping on, and set the configuration to match .ftl as HTML and .fo.ftl as XML.>>
I mean the last part of Forrest Rae <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=fbr%4014x.net>'s proposition, ie :
1. removes all "?html" expression and renames all nameIt.ftl files to nameIt.ftlh
2. removes all<#escape x as x?xml> ... </#escape> couples and renames all nameIt.fo.ftl files to nameIt.fo.ftlx
I think these changes are safe (to be tested of course).
What do you think?
Thanks
Jacques
Re: Freemarker auto-escaping
Posted by Gil Portenseigne <gi...@nereide.fr>.
Hello,
I used to define `<#ftl output_format="XML">` on top of ftl files for
this purpose.
But having this on file extension looks nice to me.
Thanks Jacques for the head up.
Gil
On Wed, Sep 08, 2021 at 02:59:27PM +0200, Jacques Le Roux wrote:
> Hi,
>
> Long ago we opened https://issues.apache.org/jira/browse/OFBIZ-7675 for that
>
> Few days ago Dániel Dékány (VP and main contributor to Apache Freemarker project) wrote at FREEMARKER-189 (https://s.apache.org/fitxs):
>
> <<I strongly recommend using HTML auto-escaping instead of ?html (see in the Manual). [...] Then people can't accidentally forget adding them....>>
>
> I was reluctant do use all auto-escaping features. But I believe we should
> follow Forrest Rae
> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=fbr%4014x.net>'s
> suggestion at OFBIZ-7041 <https://issues.apache.org/jira/browse/OFBIZ-7041>
> that we turn Freemarker autoescaping on. Quoting him there:
>
> <<This new version of FreeMarker includes auto-escaping and output formats. The <#escape> directive has been deprecated. Notice the comment at the
> very end of this page:
> "FreeMarker automatically escapes all values printed ... if it's properly configured (that's the responsibility of the programmers; see here how
> <http://freemarker.org/docs/pgui_config_outputformatsautoesc.html>)."
> Would be good to turn autoescaping on, and set the configuration to match .ftl as HTML and .fo.ftl as XML.>>
>
> I mean the last part of Forrest Rae <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=fbr%4014x.net>'s proposition, ie :
>
> 1. removes all "?html" expression and renames all nameIt.ftl files to nameIt.ftlh
> 2. removes all<#escape x as x?xml> ... </#escape> couples and renames all nameIt.fo.ftl files to nameIt.fo.ftlx
>
> I think these changes are safe (to be tested of course).
>
> What do you think?
>
> Thanks
>
> Jacques
>