Ben <[EMAIL PROTECTED]> wrote: > Hi > > I have been using Velocity throughout my site and I am in awe with its > capabilities. However there are situations where I need to restrict > its capabilities to a certain extend. > > For example, my site allows users to upload templates and be able to > use a number of predefined variables. What I don't want them to do is > to use Velocity to abuse the system, such as using directives and > writing macros. > > Is there a way to create a Velocity instance with directives and other > features disabled? The only thing I need is reference to variables.
The best thing to do is simply escape all # symbols when it's uploaded. Ie, replace them with $esc.hash or something equivalent. Personally, I'd go a step further and escape all $ symbols as well, then manually unescape any instance of ${esc.dollar}allowed_variable_name back to ${allowed_variable_name} where allowed variable name is in a preset list. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]