auto-escaping for freemarker templates
211 views
Skip to first unread message
Christian T.
Nov 4, 2019, 9:23:57 AM11/4/19
to CrafterCMS
Hello folks,
I want to use the freemarker auto-escaping functionality for my template files (*.ftl) in crafter cms. Currently there is no escaping.
I don't want to activate auto-escaping for each FTL file, like this:
<#ftl autoesc=true>
my code
<#/ftl>
Is there an another way to define a default behavior for the auto-escaping in crafter cms?
Best regards
Christian
--------
Crafter Version 3.1.1
Jose Ross
Nov 4, 2019, 12:01:36 PM11/4/19
to CrafterCMS
Hi Christian,
There is one option to change the auto-escape setting globally for all templates, however you should still consider using it locally because it can lead to security issues in your site (for example any text field could be used to inject HTML or JS code)
To change the global settings you will need to override this bean https://github.com/craftercms/engine/blob/master/src/main/resources/crafter/engine/services/main-services-context.xml#L523 and it also means your server could have issues with future releases (for example if we add or remove properties from that class then you will need to update your override file)
Here you can find the Freemarker docs about the auto-escape setting https://freemarker.apache.org/docs/api/freemarker/template/Configuration.html#setAutoEscapingPolicy-int-
Regards
Christian T.
Nov 5, 2019, 2:31:10 AM11/5/19
to CrafterCMS
Hi Jose,
thank you for your advice,
but I don't understand the first sentence.
I guess there would be only security issues if escaping is globally off.
I want to turn it on for all templates and only turn it off locally (if necessary).
I think the default setting is that files with *.FTL file extension have no defined output format.
As a consequence injecting code is generally possible. Right?
Best regards & thanks
Christian
Jose Ross
Nov 5, 2019, 9:20:21 AM11/5/19
to CrafterCMS
Hi Christian,
Or you can also set it globally overriding the same bean I mentioned before.
Sorry I misunderstood your question, you are right the default setting is to escape based on the output format, so you can set it for every template using this:
<#ftl output_format="HTML">
Regards
Reply all
Reply to author
Forward
0 new messages