On Tue, Apr 10, 2018 at 6:34 AM, Riehemann, Michael
<michael.riehem...@coremedia.com> wrote:
> Hi Daniel,
>
> thank you for your answer.
>
> The real usage is a little bit different but with the same result. We're 
> using Spring in our software and added a macro to simplify and unify the 
> usage of the spring.messageText and spring.messageArgs macros. And since our 
> messageKeys could include HTML we set the outputformat to plaintext (default 
> is HTML).
>
> <#outputformat "plainText">
>   <#macro message key args=[]>
>     <#compress>
>       <#if key?has_content>
>         <#if args?has_content>
>           <#local messageText><@spring.messageArgs key args/></#local>
>         <#else>
>           <#local messageText><@spring.message key/></#local>
>         </#if>
>         ${messageText}
>       </#if>
>     </#compress>
>   </#macro>
> </#outputformat>
>
> But we also need this as a return value for other usecases, so we added a 
> small wrapper as function:
>
> <#outputformat "plainText">
> <#function getMessage key args=[]>
>   <#local result><@message key=key args=args /></#local>
>   <#return result />
> </#function>
> </#outputformat>

I think you could use springRequestContext directly as their macros
are just very think wrapper for springMacroRequestContext [1]:

<#function getMessage key args=[]>
  <#return springMacroRequestContext.getMessage(key, args) />
</#function>

Regards,

Woonsan

[1] 
https://github.com/spring-projects/spring-framework/blob/4.3.x/spring-webmvc/src/main/resources/org/springframework/web/servlet/view/freemarker/spring.ftl

>
> And this causes the problem with the escaping, since it wasn't clear to us 
> that the output format is fixed.
>
> --Michael
>
> -----Urspr√ľngliche Nachricht-----
> Von: Daniel Dekany [mailto:ddek...@apache.org]
> Gesendet: Montag, 9. April 2018 16:14
> An: Riehemann, Michael <dev@freemarker.apache.org>
> Betreff: Re: Autoescaping
>
> Output formats works the same with both #function and #macro. What causes the 
> difference in your case is that you *call* another macro from that function. 
> You could call it from a macro as well with similar conclusion, but you have 
> printed the output directly there.
> The output format of the body of the called macro is fixed on parse time. 
> Imagine it as if the parser (where parsing happens when the template is first 
> loaded, earlier than template execution), it modifies ${foo} to 
> ${foo?esc('HTML')} for you (it doesn't, but it's something similar). It's not 
> dynamic. It saves you typing and prevents human errors exploitable for XSS 
> attack. See also this from the page your have linked:
>
>   Basically, each position in a template has an associated output
>   format, and as you saw above, it might not be the same everywhere in
>   the template. This association sticks to the positions and won't
>   change as the template executes. So if, for example, you call a
>   macro from inside an outputformat block and the called macro is
>   defined outside that block, it won't get the output format of it.
>   Or, if you have a macro that's defined in a template with HTML
>   output format, no mater from where you call it, that macro will
>   always execute with HTML output format. This is like if you were
>   coloring each characters of the template files by output format in
>   the text editor, and then later when the templates are executed, it
>   only considers the color of the statement being executed. This gives
>   you firm control over the output format and hence escaping; you
>   don't have to consider the possible execution paths that can lead to
>   a point.
>
> Also, I'm curious what use case do you have for dynamic escaping. I mean, I 
> see your example, why, in the real world do you need something like that?
>
>
> Monday, April 9, 2018, 2:44:36 PM, Riehemann, Michael wrote:
>
>> Hi Freemarker Devs,
>>
>> I have a question about the Autoescaping and the outputformat,
>> https://freemarker.apache.org/docs/dgui_misc_autoescaping.html
>>
>> Examplecode:
>>
>> <#ftl output_format="HTML">
>>
>> <#outputformat "plainText">
>> <#function testFunction>
>> <#local result><@testMacro /></#local> <#return result /> </#function>
>> </#outputformat>
>>
>> <#outputformat "plainText">
>> <#macro testMacro>
>> &
>> </#macro>
>> </#outputformat>
>>
>> Test Function: ${testFunction()}
>> Test Macro: <@testMacro/>
>>
>> Output:
>>
>> Test Function: &amp;
>> Test Macro: &
>>
>> It looks like outputformat is not working surrounding a function.
>> The simplest fix is to add ?no_esc to the call:
>> ${testFunction()?no_esc}
>>
>> But we have a lot of calls of this function and don't want to change all 
>> templates.
>>
>> So I tried this code (without outputformat):
>>
>> <#ftl output_format="HTML">
>>
>> <#function testFunction>
>> <#local result><@testMacro /></#local> <#return result /> </#function>
>>
>> <#outputformat "plainText">
>> <#macro testMacro>
>> &
>> </#macro>
>> </#outputformat>
>>
>> Test Function: ${testFunction()}
>> Test Macro: <@testMacro/>
>>
>> Output:
>>
>> Test Function: &
>> Test Macro: &
>>
>> Why does it work without the ouputformat surrounding the function?
>> Or maybe, why does the outputformat do the opposite to the function?
>>
>> Thank you,
>> Michael Riehemann
>
> --
> Thanks,
>  Daniel Dekany
>

Reply via email to