You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@freemarker.apache.org by GitBox <gi...@apache.org> on 2019/09/19 06:09:42 UTC

[GitHub] [freemarker] ddekany commented on issue #60: Make `js_string` more safety.

ddekany commented on issue #60:  Make `js_string` more safety.
URL: https://github.com/apache/freemarker/pull/60#issuecomment-532982038
 
 
   If we are talking about security, you should use auto-escaping (https://freemarker.apache.org/docs/dgui_quickstart_template.html#dgui_quickstart_template_autoescaping). Then such a bug in a template wouldn't be a security issue as well (you just end up with a broken attribute value). I'm not convinced that we should change the default behavior of `js_escape` for this (maybe some wouldn't like the new, long result). I mean the solution is there, and it's a safer practice. (Because, like, what if the template author doesn't quote the attribute value? Then this workaround won't work.)

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services