Hi Keith,
Just do not publish anything dangerous in your context and you are safe,
push in only immutable objects.
On 03/30/2010 05:02 PM, Alexander Krasnukhin wrote:
Yes. User could execute arbitrary java methods from a template.
On 31 March 2010 03:59, Treague, Keith<keith.trea...@merrillcorp.com>wrote:
I'm looking for a templating engine that can take a set of data I give it,
put it into an html template, and then I'll either return that to a web
browser or send that out as an e-mail. The catch is I want my users to be
able to edit the template itself.
My concern is if they are editing the template, is there any way they can
create a malicious template that will execute malicious code on the server
such as calling various services on the server to get unauthorized info or
grant themselves additional access? If you can execute arbitrary java
methods from a template I can't use it. Any input I'd appreciate!
(sorry if you get this twice, the first time I sent it I wasn't subscribed
yet)
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org
For additional commands, e-mail: user-h...@velocity.apache.org
