Modified: velocity/site/cms/trunk/content/engine/2.1/webapps.mdtext URL: http://svn.apache.org/viewvc/velocity/site/cms/trunk/content/engine/2.1/webapps.mdtext?rev=1855185&r1=1855184&r2=1855185&view=diff ============================================================================== --- velocity/site/cms/trunk/content/engine/2.1/webapps.mdtext (original) +++ velocity/site/cms/trunk/content/engine/2.1/webapps.mdtext Mon Mar 11 00:29:17 2019 @@ -38,14 +38,14 @@ The simplest replacement for FileResourc If you are using the VelocityViewServlet, then it is automatically configured and ready to use the WebappResourceLoader. So if you want to change the configured path(s), you need only add a line like the following to your velocity.properties: :::properties - webapp.resource.loader.path=/WEB-INF/mytemplates/ + resource.loader.webapp.path=/WEB-INF/mytemplates/ If you need to set the WebappResourceLoader up on your own, then you can make your properties something like this: :::properties - resource.loader=webapp - webapp.resource.loader.class=org.apache.velocity.tools.view.WebappResourceLoader - webapp.resource.loader.path=/WEB-INF/mytemplates/ + resource.loader = webapp + resource.loader.webapp.class = org.foo.WebappResourceLoader + resource.loader.webapp.path = /WEB-INF/mytemplates/ You will **also need to put the ServletContext into your VelocityEngine's application attributes** before initializing that Engine. This is how the WebappResourceLoader knows how to find templates. @@ -83,7 +83,7 @@ Any user-entered text that contains spec However, Velocity provides the ability to specify a `ReferenceInsertionEventHandler` which will alter the value of a reference before it is inserted into the page. Specifically, you can configure the `EscapeHtmlReference` handler into your `velocity.properties` file to escape all references (optionally) matching a regular expression. The following example will escape HTML entities in any reference that starts with "msg" (e.g. `$msgText`). :::properties - eventhandler.referenceinsertion.class = org.apache.velocity.app.event.implement.EscapeHtmlReference + eventhandler.reference_insertion.class = org.apache.velocity.app.event.implement.EscapeHtmlReference eventhandler.escape.html.match = /msg.*/ Note that other kinds of escaping are sometimes required. For example, in style sheets the @ character needs to be escaped, and in Javascript strings the single apostrophe ' needs to be escaped. @@ -93,7 +93,7 @@ Note that other kinds of escaping are so Since a web application is running on a central server, that typically has multiple users and confidential resources, care must be taken to make certain that the web application is secure. Most standard web security principles apply to a web application built with Velocity. A few specific issues (such as system configuration, more on cross-site scripting, and method introspection) are written up in this article on [Building Secure Applications with Velocity](http://wiki.apache.org/velocity/BuildingSecureWebApplications). In particular, you may want to prevent template designers from including "dangerous" reflection-related methods by specifying the `SecureUberspector` to get/set properties and execute method calls. :::properties - runtime.introspector.uberspect = org.apache.velocity.util.introspection.SecureUberspector + runtime.introspector.uberspect.class = org.apache.velocity.util.introspection.SecureUberspector ### Logging
