On Tue, Mar 30, 2010 at 3:11 PM, jian chen <chenjian1...@gmail.com> wrote: > Sounds like a perfect match for Velocity template engine. > > I guess you want to make sure the objects passed into the template won't > have any methods that the user would execute that could cause damage. >
Are there any secrets here? Or is it as simple as: 1) only objects that are put in context 2) only public methods 3) anything else? > But, overall, I'd recommend Velocity for your purpose. > > Jian > SimpleWiki in Java and Velocity > http://www.jiansnet.com/services/simplewiki.html > > > On Tue, Mar 30, 2010 at 2:02 PM, Alexander Krasnukhin <the.malk...@gmail.com >> wrote: > >> Yes. User could execute arbitrary java methods from a template. >> >> On 31 March 2010 03:59, Treague, Keith <keith.trea...@merrillcorp.com >> >wrote: >> >> > I'm looking for a templating engine that can take a set of data I give >> it, >> > put it into an html template, and then I'll either return that to a web >> > browser or send that out as an e-mail. The catch is I want my users to be >> > able to edit the template itself. >> > >> > My concern is if they are editing the template, is there any way they can >> > create a malicious template that will execute malicious code on the >> server >> > such as calling various services on the server to get unauthorized info >> or >> > grant themselves additional access? If you can execute arbitrary java >> > methods from a template I can't use it. Any input I'd appreciate! >> > >> > (sorry if you get this twice, the first time I sent it I wasn't >> subscribed >> > yet) >> > >> >> >> >> -- >> Regards, >> Alexander >> > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org For additional commands, e-mail: user-h...@velocity.apache.org
