Implement Freemarker WhitelistMemberAccessPolicy

In its API, Freemarker provides WhitelistMemberAccessPolicy where it mentions TemplateAccessible and there says:

Note that adding something to the whitelist doesn't necessary make it visible from templates; see WhitelistMemberAccessPolicy documentation.

So back to WhitelistMemberAccessPolicy API documentation says 2 things:

Of course, this only can deal with the ObjectWrapper aspect of safety; please check the Manual to see what else is needed.

So far, I did not find any other documentation than the WhitelistMemberAccessPolicy API but the FAQ (see below). In the WhitelistMemberAccessPolicy API I read

Also, since this is related to security, read the documentation of MemberAccessPolicy, to know about the pitfalls and edge cases related to MemberAccessPolicy-es in general.

So maybe I miss something somewhere.

Something else is interesting in WhitelistMemberAccessPolicy API:

Note that if you add TemplateModel-s directly to the data-model, those are not wrapped by the ObjectWrapper (from Configurable.getObjectWrapper()), and so the MemberAccessPolicy won't affect those.

So WhitelistMemberAccessPolicy is not a magic wand, more must be done. The FAQ should be of some help. Notably in OFBiz case:

Always expect that templates may get some objects that you haven't put into the data-model yourself. Notably, templates can always get a Locale object with the .locale_object expression. Or the web application framework you are using may exposes some objects, like attributes from the Servlet scopes. Such objects will be still wrapped with the ObjectWrapper that you set in the Configuration, and this is why it's important to ensure safety on that level. Controlling what objects the template will have access to is hard, but you can control centrally what members of any object they have access to.

This also needs to taken in consideration:

Template-loader (Configuration.setTemplateLoader): Templates may load other templates by name (by path), like <#include "../secret.txt">. To avoid loading sensitive data, you have to use a TemplateLoader that double-checks that the file to load is something that should be exposed. FreeMarker tries to prevent the loading of files outside the template root directory regardless of template loader, but depending on the underlying storage mechanism, exploits may exist that FreeMarker can't consider (like, just as an example, ~ jumps to the current user's home directory). Note that freemarker.cache.FileTemplateLoader checks the canonical paths, so that's maybe a good candidate for this task, yet, adding a file extension check (file must be *.ftl) is maybe a good idea.