FreeMarker evaluating result of s.url?

[River Tarnell <ri...@attenuate.org>]

hello,

i have a FreeMarker template which looks like this:

<@s.url id="viewurl" includeParams="none" action="view"
	title=title.text />
<a href="${viewurl}">View</a>

as long as title.text contains "simple" text, this works fine: it
outputs <a href=".../view.action?title=whatever">.  however, if the
literal value of title.text looks like a FreeMarker expression,
FreeMarker actually evaluates the result of the s.url.  e.g. if
title.text was "${foo}", and ${foo} had the value "bar", the output
would be:

  <a href=".../view.action?title=bar">

instead of:

  <a href=".../view.action?title=${foo}">

why is this happening, and how can i stop it?  (it seems to prevent
outputting any user-supplied data in a URL...)

thanks,
	- river.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: FreeMarker evaluating result of s.url?

[River Tarnell <ri...@attenuate.org>]

On Fri, 2007-04-06 at 14:03 -0400, Musachy Barroso wrote:
> FreeMarker will replace ${X} fot the value of X anywhere on your ftl file,

sure, but in this case the ${X} is not in the ftl file, it's returned by
<@s.url> - i never explictily write ${foo} anywhere, but FreeMarker
expands it to "bar" because the generated URL includes that string.

i find it hard to believe that having the Action wrap every string
attribute with a "${" -> "$\{" replacement is a reasonable way to do
this... other than being an enormous amount of effort to maintain, it
seems very easy to make a mistake and introduce various security issues
(where the user could embed arbitrary ftl code in GET attributes, or
whatever).

if this really is the case then i suppose i will go back to using JSP
instead - any advantage of having a simple template language is negated
by the amount of extra code required.

	- river.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: FreeMarker evaluating result of s.url?

[Musachy Barroso <mu...@gmail.com>]

FreeMarker will replace ${X} fot the value of X anywhere on your ftl file,
if you want to have a literal ${X} that is not expanded, you need to use
$\{X}

musachy

On 4/6/07, River Tarnell <ri...@attenuate.org> wrote:
>
> On Fri, 2007-04-06 at 09:29 -0400, Musachy Barroso wrote:
> > You will have to escape it so freemarker doesn't expand it, like:
>
> > $\{test}
>
> thanks, but i'm not sure i understand... does this mean that whenever i
> use s.url, i need to do something like
>
> <@s.url id="viewurl" includeParams="none" action="view"
>         title=title.freemarkerEscapedText />
>
> ... where getFreemarkerEscapedText manually replaces "${" with "$\{"?
>
>         - river.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd

Re: FreeMarker evaluating result of s.url?

[River Tarnell <ri...@attenuate.org>]

On Fri, 2007-04-06 at 09:29 -0400, Musachy Barroso wrote:
> You will have to escape it so freemarker doesn't expand it, like:

> $\{test}

thanks, but i'm not sure i understand... does this mean that whenever i
use s.url, i need to do something like 

<@s.url id="viewurl" includeParams="none" action="view"
        title=title.freemarkerEscapedText />

... where getFreemarkerEscapedText manually replaces "${" with "$\{"?

	- river.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: FreeMarker evaluating result of s.url?

[Musachy Barroso <mu...@gmail.com>]

You will have to escape it so freemarker doesn't expand it, like:

$\{test}

http://freemarker.sourceforge.net/docs/dgui_template_exp.html

regards
musachy

On 4/6/07, River Tarnell <ri...@attenuate.org> wrote:
>
> hello,
>
> i have a FreeMarker template which looks like this:
>
> <@s.url id="viewurl" includeParams="none" action="view"
>         title=title.text />
> <a href="${viewurl}">View</a>
>
> as long as title.text contains "simple" text, this works fine: it
> outputs <a href=".../view.action?title=whatever">.  however, if the
> literal value of title.text looks like a FreeMarker expression,
> FreeMarker actually evaluates the result of the s.url.  e.g. if
> title.text was "${foo}", and ${foo} had the value "bar", the output
> would be:
>
>   <a href=".../view.action?title=bar">
>
> instead of:
>
>   <a href=".../view.action?title=${foo}">
>
> why is this happening, and how can i stop it?  (it seems to prevent
> outputting any user-supplied data in a URL...)
>
> thanks,
>         - river.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd