Yes. User could execute arbitrary java methods from a template. On 31 March 2010 03:59, Treague, Keith <keith.trea...@merrillcorp.com>wrote:
> I'm looking for a templating engine that can take a set of data I give it, > put it into an html template, and then I'll either return that to a web > browser or send that out as an e-mail. The catch is I want my users to be > able to edit the template itself. > > My concern is if they are editing the template, is there any way they can > create a malicious template that will execute malicious code on the server > such as calling various services on the server to get unauthorized info or > grant themselves additional access? If you can execute arbitrary java > methods from a template I can't use it. Any input I'd appreciate! > > (sorry if you get this twice, the first time I sent it I wasn't subscribed > yet) > -- Regards, Alexander
