velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Polet <guillaume.po...@gmail.com>
Subject Re: Validate templates before use
Date Mon, 06 Feb 2012 14:58:59 GMT
I would go for the fundamentals of the developer guide:
http://velocity.apache.org/engine/releases/velocity-1.7/developer-guide.html

// If not done yet, init an engine (here the one of the singleton pattern but there is a non-static
call that you can do if you don't use the singleton pattern engine)
Velocity.init();

Template template = null;
try {
   // Call getTemplate will automatically look up the template and parse it.
   template = Velocity.getTemplate("mytemplate.vm");
} catch( ResourceNotFoundException rnfe ) {
    // This should not happen in your case (although it could)
} catch( ParseErrorException pee ) {
    // Well pretty obvious that the template is not correct
} catch( MethodInvocationException mie ) {
    // I don't remember in which case this exception is thrown.
} catch( Exception e ) {
}


Cheers,
Guillaume

Le 6/02/2012 15:44, Chad La Joie a écrit :
> On Mon, Feb 6, 2012 at 09:41, sebb<sebbaz@gmail.com>  wrote:
>> Just because it's parseable does not mean it's safe to use ...
>> allowing an end-user to provide a template without manual checking
>> sounds like a recipe for inviting exploits.
> There's nothing I can do about that.  If the user wants to write a
> template that exploits their own system, that's up to them.  I'm just
> trying to provide what checking I can at startup time.
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org


Mime
View raw message