[
https://issues.apache.org/jira/browse/VELOCITY-705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12677552#action_12677552
]
Byron Foster commented on VELOCITY-705:
---------------------------------------
There is the notion of the Context event handler which is a little more
dynamic, but unfortunately it is terribly inefficient.
In the 2.0exp branch I added a simple interface for writers just for this type
of thing. the interface add a writeReference(String str) method. If the
writer passed to Velocity implements this interface then it calls this method
to write references instead of write(String). This provided the ability to
intercept reference rendering at the writer level.
I implemented a directive called #escape that provides much of the
functionality you describe and takes advantage of the above writer interface.
you call it like #escape(xml) ... #end. The escaping behavior operates in a
stack of course so you can do this type of thing:
#escape(xml)
...
#escape(url)
....
#end
#escape(none)
....
#end
...
#end
In reality I do web stuff, so escaping xml is on by default. Anyway, i was
going to submit it once I had test driven it for a while, and liked how it
worked. 2.0 may not work for you :), but you're welcome to take a look.
Making it work for 1.7 wouldn't be a big deal. I was thinking of also
implementing the ability to take a Map as a parameter which maps chars to
escape sequences. so you could call it like #escape($myesc) where $myesc
contains the map.
> Dynamic VTL reference modification directive
> --------------------------------------------
>
> Key: VELOCITY-705
> URL: https://issues.apache.org/jira/browse/VELOCITY-705
> Project: Velocity
> Issue Type: New Feature
> Components: Engine
> Reporter: Jarkko Viinamäki
>
> Currently EventHandlers are defined in velocity.properties like:
> eventhandler.referenceinsertion.class =
> The problem is that AFAIK this handler is active in every reference
> evaluation (and every template). I propose a dynamic setting that can be
> chained and turned on and off during template rendering.
> Syntax might be something like:
> #filter($myReferenceModifier)
> any VTL here ($foo type references are modified using the class referred by
> $myReferenceModifier)
> #end
> The basic idea is that you put some classes that implement e.g.
> ReferenceInsertionEventHandler interface to the Context and then you can use
> those to filter/modify some selected parts of the template. #filter directive
> should allow nesting (one #filter directive contain another #filter
> directive).
> It's probably also necessary to disable filtering for selected elements
> inside the filter block.
> It might be also useful to be able to limit the amount of reference names
> that are passed to the filter. Like:
> #filter($myReferenceModifier ['a', 'foo', 'html'])
> ----
> Use Case for this feature is that often you need to escape form values and
> other elements to avoid XSS attacks etc. Escaping all references in all
> templates seems like an overkill (and isn't very performance friendly
> either). This feature would allow you to do escaping dynamically only for
> selected elements.
> What do you think?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
