velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Bubna <nbu...@gmail.com>
Subject Re: Validate templates before use
Date Mon, 06 Feb 2012 15:14:55 GMT
Pre-validating templates would fall in the "advanced uses" category,
making it much more reasonable to interact with Template. :)

On Mon, Feb 6, 2012 at 7:07 AM, Chad La Joie <lajoie@itumi.biz> wrote:
> Thanks, thats what I was looking for.  After my last email about the
> Template object I wasn't sure if I should really be calling
> getTemplate() or not.
>
> On Mon, Feb 6, 2012 at 09:58, Guillaume Polet <guillaume.polet@gmail.com> wrote:
>> I would go for the fundamentals of the developer guide:
>> http://velocity.apache.org/engine/releases/velocity-1.7/developer-guide.html
>>
>> // If not done yet, init an engine (here the one of the singleton pattern
>> but there is a non-static call that you can do if you don't use the
>> singleton pattern engine)
>> Velocity.init();
>>
>> Template template = null;
>> try {
>>  // Call getTemplate will automatically look up the template and parse it.
>>  template = Velocity.getTemplate("mytemplate.vm");
>> } catch( ResourceNotFoundException rnfe ) {
>>   // This should not happen in your case (although it could)
>> } catch( ParseErrorException pee ) {
>>   // Well pretty obvious that the template is not correct
>> } catch( MethodInvocationException mie ) {
>>   // I don't remember in which case this exception is thrown.
>> } catch( Exception e ) {
>> }
>>
>>
>> Cheers,
>> Guillaume
>>
>> Le 6/02/2012 15:44, Chad La Joie a écrit :
>>
>>> On Mon, Feb 6, 2012 at 09:41, sebb<sebbaz@gmail.com>  wrote:
>>>>
>>>> Just because it's parseable does not mean it's safe to use ...
>>>> allowing an end-user to provide a template without manual checking
>>>> sounds like a recipe for inviting exploits.
>>>
>>> There's nothing I can do about that.  If the user wants to write a
>>> template that exploits their own system, that's up to them.  I'm just
>>> trying to provide what checking I can at startup time.
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
>> For additional commands, e-mail: user-help@velocity.apache.org
>>
>
>
>
> --
> Chad La Joie
> www.itumi.biz
> trusted identities, delivered
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
> For additional commands, e-mail: user-help@velocity.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org


Mime
View raw message