[OFBIZ-7675] Investigate if we should turn Freemarker autoescaping on - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Minor
Resolution: Won't Do
Affects Version/s: Trunk
Fix Version/s: None
Component/s: framework
Labels:
None

Description

At ~~OFBIZ-7041~~ fbr@14x.net suggested that we turn Freemarker autoescaping on. Quoting him there:

This new version of FreeMarker includes auto-escaping and output formats. The <#escape> directive has been deprecated. Notice the comment at the very end of this page:

"FreeMarker automatically escapes all values printed ... if it's properly configured (that's the responsibility of the programmers; see here how)."

Would be good to turn autoescaping on, and set the configuration to match .ftl as HTML and .fo.ftl as XML.

pfm.smits asked

If we are going down that path I guess we have to visit a lot of Freemarker template files, right?

Here is my answer

We don' t use any <#escape> directives in all OFBiz. We have a couple of <#noescape> which should be replaced by <#noautoesc>. So I agree we could set the Freemarker environement to auto-escaping, and test if it has not unexpected side-effects.

Could be that this will fix or complicate the issue I crossed (at bottom) of ~~OFBIZ-7041~~ and more recently at ~~OFBIZ-7343~~, let's see...

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OFBIZ-7675-plugins.zip
26/Sep/21 16:45
2.89 MB
Jacques Le Roux
OFBIZ-7675-framework.patch
23/Sep/21 10:16
699 kB
Jacques Le Roux
OFBIZ-7675.patch
03/Dec/18 19:26
63 kB
Deepak Dixit
OFBIZ-7675-plugins.patch
03/Dec/18 19:26
5 kB
Deepak Dixit

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 29/Jun/16 11:38

Updated:: 26/Sep/21 16:46

Resolved:: 23/Sep/21 13:36