[jira] Commented: (VELOCITY-705) Dynamic VTL reference modification directive

Sun, 01 Mar 2009 22:46:39 -0800 

    [ 
https://issues.apache.org/jira/browse/VELOCITY-705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12677902#action_12677902
 ] 

Byron Foster commented on VELOCITY-705:
---------------------------------------

Yea, the writeReference method was really specifically suited for escaping, 
given that it seems it should be the last thing performed.  For example you may 
have a date format which produces "April 1 > 3000" which would then need to be 
escaped in the case of XML.



> Dynamic VTL reference modification directive
> --------------------------------------------
>
>                 Key: VELOCITY-705
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-705
>             Project: Velocity
>          Issue Type: New Feature
>          Components: Engine
>            Reporter: Jarkko Viinamäki
>
> Currently EventHandlers are defined in velocity.properties like:
> eventhandler.referenceinsertion.class =
> The problem is that AFAIK this handler is active in every reference 
> evaluation (and every template). I propose a dynamic setting that can be 
> chained and turned on and off during template rendering.
> Syntax might be something like:
> #filter($myReferenceModifier)
>  any VTL here ($foo type references are modified using the class referred by 
> $myReferenceModifier)
> #end
> The basic idea is that you put some classes that implement e.g. 
> ReferenceInsertionEventHandler interface to the Context and then you can use 
> those to filter/modify some selected parts of the template. #filter directive 
> should allow nesting (one #filter directive contain another #filter 
> directive).
> It's probably also necessary to disable filtering for selected elements 
> inside the filter block.
> It might be also useful to be able to limit the amount of reference names 
> that are passed to the filter. Like:
> #filter($myReferenceModifier ['a', 'foo', 'html'])
> ----
> Use Case for this feature is that often you need to escape form values and 
> other elements to avoid XSS attacks etc. Escaping all references in all 
> templates seems like an overkill (and isn't very performance friendly 
> either). This feature would allow you to do escaping dynamically only for 
> selected elements.
> What do you think?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to