You could setup each user with their own VelocityEngine, and supply a directory name for the templates that is exclusive to that user. Then the #parse and #include could only reach files that are exclusive to that user. You can optionally include more than one directory for templates in the VelocityEngine, so you might also have a directory of files that can be used by all users.
So when someone went to the user's web page, you would look up the directory for that user, setup the appropriate VelocityEngine, set the VelocityContext, and do a MergeTemplate. Barbara Baughman X2157 On Fri, 22 Apr 2005, Tony Morris wrote: > I had a bit of a fiddle with Velocity a while back, and I'm considering > using it in a J2EE project that is coming up. A requirement that I have is > that users should be able to submit their preferred format for rendering of > their web page, for which I thought Velocity would be entirely appropriate. > The issue I have is security-related. I had a look through the Velocity user > guide and the only real potential hole that I see is the use of the #parse > or #include directive. I shouldn't expect users will use this, but I need to > protect against it nonetheless (are there any other potential holes that I > can't see?). The user document talks about the 'TEMPLATE_ROOT' (what is that > exactly?) being the only place from which the referenced files can be > included/parsed, but I'm wondering if Velocity provides something to solve > what I believe would be a common problem, perhaps by preventing > include/parse directives altogether - or perhaps some unforeseen solution > that is more wll suited. > > Thanks for any tips. > > Tony Morris > Software Engineer > Gold Coast, Australia > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
