velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chad La Joie <laj...@itumi.biz>
Subject Re: Validate templates before use
Date Mon, 06 Feb 2012 15:07:27 GMT
Thanks, thats what I was looking for.  After my last email about the
Template object I wasn't sure if I should really be calling
getTemplate() or not.

On Mon, Feb 6, 2012 at 09:58, Guillaume Polet <guillaume.polet@gmail.com> wrote:
> I would go for the fundamentals of the developer guide:
> http://velocity.apache.org/engine/releases/velocity-1.7/developer-guide.html
>
> // If not done yet, init an engine (here the one of the singleton pattern
> but there is a non-static call that you can do if you don't use the
> singleton pattern engine)
> Velocity.init();
>
> Template template = null;
> try {
>  // Call getTemplate will automatically look up the template and parse it.
>  template = Velocity.getTemplate("mytemplate.vm");
> } catch( ResourceNotFoundException rnfe ) {
>   // This should not happen in your case (although it could)
> } catch( ParseErrorException pee ) {
>   // Well pretty obvious that the template is not correct
> } catch( MethodInvocationException mie ) {
>   // I don't remember in which case this exception is thrown.
> } catch( Exception e ) {
> }
>
>
> Cheers,
> Guillaume
>
> Le 6/02/2012 15:44, Chad La Joie a écrit :
>
>> On Mon, Feb 6, 2012 at 09:41, sebb<sebbaz@gmail.com>  wrote:
>>>
>>> Just because it's parseable does not mean it's safe to use ...
>>> allowing an end-user to provide a template without manual checking
>>> sounds like a recipe for inviting exploits.
>>
>> There's nothing I can do about that.  If the user wants to write a
>> template that exploits their own system, that's up to them.  I'm just
>> trying to provide what checking I can at startup time.
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
> For additional commands, e-mail: user-help@velocity.apache.org
>



-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org


Mime
View raw message