Sounds like a perfect match for Velocity template engine. I guess you want to make sure the objects passed into the template won't have any methods that the user would execute that could cause damage.
But, overall, I'd recommend Velocity for your purpose. Jian SimpleWiki in Java and Velocity http://www.jiansnet.com/services/simplewiki.html On Tue, Mar 30, 2010 at 2:02 PM, Alexander Krasnukhin <the.malk...@gmail.com > wrote: > Yes. User could execute arbitrary java methods from a template. > > On 31 March 2010 03:59, Treague, Keith <keith.trea...@merrillcorp.com > >wrote: > > > I'm looking for a templating engine that can take a set of data I give > it, > > put it into an html template, and then I'll either return that to a web > > browser or send that out as an e-mail. The catch is I want my users to be > > able to edit the template itself. > > > > My concern is if they are editing the template, is there any way they can > > create a malicious template that will execute malicious code on the > server > > such as calling various services on the server to get unauthorized info > or > > grant themselves additional access? If you can execute arbitrary java > > methods from a template I can't use it. Any input I'd appreciate! > > > > (sorry if you get this twice, the first time I sent it I wasn't > subscribed > > yet) > > > > > > -- > Regards, > Alexander >
