velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Serge Knystautas <>
Subject Re: security audit
Date Mon, 02 Jun 2003 16:56:40 GMT
Jonathan Revusky wrote:
>> Nope, service providers will not deploy velocity if it is not safe!
> FWIW, it seems like a non-issue to me. A security-conscious ISP would 
> only let java servlets run in a sandbox and the same security 
> restrictions that apply to the servlets would apply to the Velocity (or 
> FreeMarker or any other) templates that the servlet makes use of.

As an example of a service provider, we have selected velocity as the 
templating engine because of the ease that it integrates with our Java 
architecture (mainly over PHP).  I'd rather not get into sandboxing 
since we are not exposing Java or any true programming capabilities... 
just some basic templating and scripting.

So I would be interested in being able to lock-down velocity so that 
authors (our customers) cannot do bad things.

Serge Knystautas
Lokitech >> software . strategy . design >>
p. 301.656.5501

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message