Ben <[EMAIL PROTECTED]> wrote:
> Hi
>
> I have been using Velocity throughout my site and I am in awe with its
> capabilities. However there are situations where I need to restrict
> its capabilities to a certain extend.
>
> For example, my site allows users to upload templates and be able to
> use a number of predefined variables. What I don't want them to do is
> to use Velocity to abuse the system, such as using directives and
> writing macros.
>
> Is there a way to create a Velocity instance with directives and other
> features disabled? The only thing I need is reference to variables.
The best thing to do is simply escape all # symbols when it's uploaded.
Ie, replace them with $esc.hash or something equivalent.
Personally, I'd go a step further and escape all $ symbols as well, then
manually unescape any instance of ${esc.dollar}allowed_variable_name back to
${allowed_variable_name} where allowed variable name is in a preset list.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
