Hi,
Long ago we opened https://issues.apache.org/jira/browse/OFBIZ-7675 for that
Few days ago Dániel Dékány (VP and main contributor to Apache Freemarker
project) wrote at FREEMARKER-189 (https://s.apache.org/fitxs):
<<I strongly recommend using HTML auto-escaping instead of ?html (see in the
Manual). [...] Then people can't accidentally forget adding them....>>
I was reluctant do use all auto-escaping features. But I believe we should follow Forrest Rae
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=fbr%4014x.net>'s suggestion at OFBIZ-7041
<https://issues.apache.org/jira/browse/OFBIZ-7041> that we turn Freemarker autoescaping on. Quoting him there:
<<This new version of FreeMarker includes auto-escaping and output formats. The
<#escape> directive has been deprecated. Notice the comment at the
very end of this page:
"FreeMarker automatically escapes all values printed ... if it's properly
configured (that's the responsibility of the programmers; see here how
<http://freemarker.org/docs/pgui_config_outputformatsautoesc.html>)."
Would be good to turn autoescaping on, and set the configuration to match .ftl as
HTML and .fo.ftl as XML.>>
I mean the last part of Forrest Rae
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=fbr%4014x.net>'s
proposition, ie :
1. removes all "?html" expression and renames all nameIt.ftl files to
nameIt.ftlh
2. removes all<#escape x as x?xml> ... </#escape> couples and renames all
nameIt.fo.ftl files to nameIt.fo.ftlx
I think these changes are safe (to be tested of course).
What do you think?
Thanks
Jacques