Jacques Le Roux created OFBIZ-7675:
--------------------------------------
Summary: Investigate if we should turn on Freemarker autoescaping
Key: OFBIZ-7675
URL: https://issues.apache.org/jira/browse/OFBIZ-7675
Project: OFBiz
Issue Type: New Feature
Components: framework
Affects Versions: Trunk
Reporter: Jacques Le Roux
Priority: Minor
Fix For: Upcoming Branch
At OFBIZ-7041 [[email protected]] suggested that we turn Freemarker autoescaping
on. Quoting him there:
{quote}
This new version of FreeMarker includes auto-escaping and output formats. The
<#escape> directive has been deprecated. Notice the comment at the very end of
this page:
"FreeMarker automatically escapes all values printed ... if it's properly
configured (that's the responsibility of the programmers; [see here
how|http://freemarker.org/docs/pgui_config_outputformatsautoesc.html])."
Would be good to turn autoescaping on, and set the configuration to match .ftl
as HTML and .fo.ftl as XML.
{quote}
[~pfm.smits] asked
{quote}
If we are going down that path I guess we have to visit a lot of Freemarker
template files, right?
{quote}
Here is my answer
{quote}
We don' t use any <#escape> directives in all OFBiz. We have a couple of
<#noescape> which should be replaced by <#noautoesc>. So I agree we could set
the Freemarker environement to auto-escaping, and test if it has not unexpected
side-effects.
Could be that this will fix or complicate the issue I crossed (at bottom) of
OFBIZ-7041 and more recently at OFBIZ-7343, let's see...
{quote}
Reply
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
