velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Polet <>
Subject Re: Validate templates before use
Date Mon, 06 Feb 2012 14:58:59 GMT
I would go for the fundamentals of the developer guide:

// If not done yet, init an engine (here the one of the singleton pattern but there is a non-static
call that you can do if you don't use the singleton pattern engine)

Template template = null;
try {
   // Call getTemplate will automatically look up the template and parse it.
   template = Velocity.getTemplate("mytemplate.vm");
} catch( ResourceNotFoundException rnfe ) {
    // This should not happen in your case (although it could)
} catch( ParseErrorException pee ) {
    // Well pretty obvious that the template is not correct
} catch( MethodInvocationException mie ) {
    // I don't remember in which case this exception is thrown.
} catch( Exception e ) {


Le 6/02/2012 15:44, Chad La Joie a écrit :
> On Mon, Feb 6, 2012 at 09:41, sebb<>  wrote:
>> Just because it's parseable does not mean it's safe to use ...
>> allowing an end-user to provide a template without manual checking
>> sounds like a recipe for inviting exploits.
> There's nothing I can do about that.  If the user wants to write a
> template that exploits their own system, that's up to them.  I'm just
> trying to provide what checking I can at startup time.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message