Java Mailing List Archive

Home » FreeMarker-user »

Re: [FreeMarker-user] safe end user editable template,
 can freemarker be used for this?

Daniel Dekany


Replies: Find Java Web Hosting

Author LoginPost Reply
Tuesday, November 15, 2011, 5:36:06 PM, S Ahmed wrote:

> Say I have a template that I want end users to be able to edit, and
> thus this has to be safe from them being able to output the database
> connection string or other unsafe operations.
> Can freemarker be used?
> Can I have it such that freemarker will ONLY parse specific objects?
> Say I have a page that displays products, so I load a
> List<Products> variable and send that to my view page.
> The end user can only use this @products variable, and is prevented
> from doing anything else that could be a security issue.
> Possible?

It's possible to restrict the accessible variables, however it may
requires some extra work on your side. But there are other dangers
too, like DoS attacks. So I wouldn't allow the generic public to
upload/edit templates, but it's maybe OK to allow that for the
employees of the customer or like (a more accountable group of

If you do this, it's important to know all the catches, so please

> Ruby has something like this already called liquid:

Best regards,
Daniel Dekany

RSA(R) Conference 2012
Save $700 by Nov 18
Register now
FreeMarker-user mailing list
©2008 - Jax Systems, LLC, U.S.A.