On Wed, Nov 24, 2010 at 14:19, Thomas Mortagne <[email protected]> wrote: > Hi devs, > > $xwiki.parseMessage is used to parse velocity located in a translation > message. > > Thing it for me it's very bad (bad design and very bad for > performances and most of all for security) to have velocity in > translation messages which makes $xwiki.parseMessage useless and some > other would say a security hole (see > http://jira.xwiki.org/jira/browse/XWIKI-5684). > > So I propose to deprecate it in 2.7 to make sure we don't use that anymore. > > WDYT ?
I forgot to indicate that the alternative (since a very long time) is to use $msg.get(String key, List< ? > params) and i really doubt we really need velocity for anything else than putting in the middle of a translation some value depending of the context (like the document name when printing an error and things like that). > > -- > Thomas Mortagne > -- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
