You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by River Tarnell <ri...@attenuate.org> on 2007/04/06 06:21:43 UTC
FreeMarker evaluating result of s.url?
hello,
i have a FreeMarker template which looks like this:
<@s.url id="viewurl" includeParams="none" action="view"
title=title.text />
<a href="${viewurl}">View</a>
as long as title.text contains "simple" text, this works fine: it
outputs <a href=".../view.action?title=whatever">. however, if the
literal value of title.text looks like a FreeMarker expression,
FreeMarker actually evaluates the result of the s.url. e.g. if
title.text was "${foo}", and ${foo} had the value "bar", the output
would be:
<a href=".../view.action?title=bar">
instead of:
<a href=".../view.action?title=${foo}">
why is this happening, and how can i stop it? (it seems to prevent
outputting any user-supplied data in a URL...)
thanks,
- river.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: FreeMarker evaluating result of s.url?
Posted by River Tarnell <ri...@attenuate.org>.
On Fri, 2007-04-06 at 14:03 -0400, Musachy Barroso wrote:
> FreeMarker will replace ${X} fot the value of X anywhere on your ftl file,
sure, but in this case the ${X} is not in the ftl file, it's returned by
<@s.url> - i never explictily write ${foo} anywhere, but FreeMarker
expands it to "bar" because the generated URL includes that string.
i find it hard to believe that having the Action wrap every string
attribute with a "${" -> "$\{" replacement is a reasonable way to do
this... other than being an enormous amount of effort to maintain, it
seems very easy to make a mistake and introduce various security issues
(where the user could embed arbitrary ftl code in GET attributes, or
whatever).
if this really is the case then i suppose i will go back to using JSP
instead - any advantage of having a simple template language is negated
by the amount of extra code required.
- river.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: FreeMarker evaluating result of s.url?
Posted by Musachy Barroso <mu...@gmail.com>.
FreeMarker will replace ${X} fot the value of X anywhere on your ftl file,
if you want to have a literal ${X} that is not expanded, you need to use
$\{X}
musachy
On 4/6/07, River Tarnell <ri...@attenuate.org> wrote:
>
> On Fri, 2007-04-06 at 09:29 -0400, Musachy Barroso wrote:
> > You will have to escape it so freemarker doesn't expand it, like:
>
> > $\{test}
>
> thanks, but i'm not sure i understand... does this mean that whenever i
> use s.url, i need to do something like
>
> <@s.url id="viewurl" includeParams="none" action="view"
> title=title.freemarkerEscapedText />
>
> ... where getFreemarkerEscapedText manually replaces "${" with "$\{"?
>
> - river.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
"Hey you! Would you help me to carry the stone?" Pink Floyd
Re: FreeMarker evaluating result of s.url?
Posted by River Tarnell <ri...@attenuate.org>.
On Fri, 2007-04-06 at 09:29 -0400, Musachy Barroso wrote:
> You will have to escape it so freemarker doesn't expand it, like:
> $\{test}
thanks, but i'm not sure i understand... does this mean that whenever i
use s.url, i need to do something like
<@s.url id="viewurl" includeParams="none" action="view"
title=title.freemarkerEscapedText />
... where getFreemarkerEscapedText manually replaces "${" with "$\{"?
- river.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: FreeMarker evaluating result of s.url?
Posted by Musachy Barroso <mu...@gmail.com>.
You will have to escape it so freemarker doesn't expand it, like:
$\{test}
http://freemarker.sourceforge.net/docs/dgui_template_exp.html
regards
musachy
On 4/6/07, River Tarnell <ri...@attenuate.org> wrote:
>
> hello,
>
> i have a FreeMarker template which looks like this:
>
> <@s.url id="viewurl" includeParams="none" action="view"
> title=title.text />
> <a href="${viewurl}">View</a>
>
> as long as title.text contains "simple" text, this works fine: it
> outputs <a href=".../view.action?title=whatever">. however, if the
> literal value of title.text looks like a FreeMarker expression,
> FreeMarker actually evaluates the result of the s.url. e.g. if
> title.text was "${foo}", and ${foo} had the value "bar", the output
> would be:
>
> <a href=".../view.action?title=bar">
>
> instead of:
>
> <a href=".../view.action?title=${foo}">
>
> why is this happening, and how can i stop it? (it seems to prevent
> outputting any user-supplied data in a URL...)
>
> thanks,
> - river.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
"Hey you! Would you help me to carry the stone?" Pink Floyd