Java Mailing List Archive

http://www.junlu.com/

Home » FreeMarker-user »

Re: [FreeMarker-user] safe end user editable template,
 can freemarker be used for this?

Daniel Dekany

2011-11-16

Replies: Find Java Web Hosting

Author LoginPost Reply
Tuesday, November 15, 2011, 5:36:06 PM, S Ahmed wrote:

> Say I have a template that I want end users to be able to edit, and
> thus this has to be safe from them being able to output the database
> connection string or other unsafe operations.
>
> Can freemarker be used?
>
> Can I have it such that freemarker will ONLY parse specific objects?
>
> Say I have a page that displays products, so I load a
> List<Products> variable and send that to my view page.
>
> The end user can only use this @products variable, and is prevented
> from doing anything else that could be a security issue.
>
> Possible?

It's possible to restrict the accessible variables, however it may
requires some extra work on your side. But there are other dangers
too, like DoS attacks. So I wouldn't allow the generic public to
upload/edit templates, but it's maybe OK to allow that for the
employees of the customer or like (a more accountable group of
people).

If you do this, it's important to know all the catches, so please
read:

http://freemarker.org/docs/app_faq.html#faq_template_uploading_security

> Ruby has something like this already called liquid: http://liquidmarkup.org/

--
Best regards,
Daniel Dekany


------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
FreeMarker-user mailing list
FreeMarker-user@(protected)
https://lists.sourceforge.net/lists/listinfo/freemarker-user
©2008 junlu.com - Jax Systems, LLC, U.S.A.