Details
-
New Feature
-
Status: Closed
-
Minor
-
Resolution: Won't Do
-
Trunk
-
None
-
None
Description
At OFBIZ-7041 fbr@14x.net suggested that we turn Freemarker autoescaping on. Quoting him there:
This new version of FreeMarker includes auto-escaping and output formats. The <#escape> directive has been deprecated. Notice the comment at the very end of this page:
"FreeMarker automatically escapes all values printed ... if it's properly configured (that's the responsibility of the programmers; see here how)."
Would be good to turn autoescaping on, and set the configuration to match .ftl as HTML and .fo.ftl as XML.
pfm.smits asked
If we are going down that path I guess we have to visit a lot of Freemarker template files, right?
Here is my answer
We don' t use any <#escape> directives in all OFBiz. We have a couple of <#noescape> which should be replaced by <#noautoesc>. So I agree we could set the Freemarker environement to auto-escaping, and test if it has not unexpected side-effects.
Could be that this will fix or complicate the issue I crossed (at bottom) of
OFBIZ-7041and more recently atOFBIZ-7343, let's see...
Reply