velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <>
Subject Re: [ANN] Viento - WHY?
Date Fri, 07 Oct 2005 17:57:34 GMT
Friday, October 7, 2005, 7:31:41 PM, Robert Koberg wrote:

> Daniel Dekany wrote:
>> Friday, October 7, 2005, 6:28:16 PM, jian chen wrote:
>>>I have been looking at the FreeMarker vs. Velocity emails. The only
>>>objection that I don't use FreeMarker in my project is, I prefer the
>>>Velocity syntax to FreeMarker. I like a clear separation of the template
>>>code from the HTML.
>> What do you mean by that? Maybe you only know the early FM. For a while
>> FreeMarker tags look like <#if whatever>...</#if> and <@myMacro whatever
>> so they are clearly separated from the XML/HTML now.
> Yes, they are clearly not HTML or XML. But FM templates cannot be 
> written (comfortably) in an HTML or XML editor that is checking for 
> well-formedness or validity.

Nor Velocity templates... for example try to conditionally add an
attribute. That will not be even well-formed. But yes, simple templates
can remain valid with Velocity.

> The main problem for me is the syntax above would not pass through an 
> XML parser.

Why do you pass trough a template (rather than it's output) an XML
parser? I ask because I hear it a lot... if only one people needs it,
fine. But why is this demand so popular? For what do people use this?

> I realize FM has very recently added an XML freindly syntax,

Well.. only as XML friendly as Velocity. Real XML friendly syntaxes are
like Zope Template Language. But, they are terribly verbose.

> but Velocity has always had it and i feel more comfortable using 
> something that has been around longer (the XML friendly syntax).
> I don't want anything else added to Velocity. I want it to stay simple
> so only very basic things can get done in a template.
> One thing that might make me think about switching has to do with 
> security. Can you do something like this is FM:
> #set ($classLoader = $request.getClass().getClassLoader())
> ?

Not by default... AFAIK nor in Velocity soon. FreeMarker is
traditionally conservative in exposing the Java API of objects, since
it's doesn't rely on Java's reflection API too much.

> I don't want a user to be able to do this. And I do not want to have a
> server admin to have to manage policy files to accomplish it.

FreeMarker has support to be used with Java's security policy feature...
but I don't know it. Anyway, my opinion abut this topic in general is
that almost none of the template engines around was designed to be
something that you can let written be the users (as opposed to developer
team mates like HTML page designers). Nor FreeMarker. Yes, you can
prevent some really evil things by not allowing unrestricted reflection
calls. But evil users still can add a practically infinite loop and
whatever DoS-style stuff to your templates...

> -Rob

Best regards,
 Daniel Dekany

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message