Hi,
After reading https://ackcent.com/blog/in-depth-freemarker-template-injection/ I wonder why we have not TemplateClassResolver.SAFER_RESOLVER[1] used
by default, like there is:
The api_builtin_enabled configuration setting must be set to true. Its default is false (at least as of 2.3.22) for not lowering the security of
existing applications.[2]
Is there a reason?
Thanks
Jacques
[1]
https://freemarker.apache.org/docs/api/freemarker/core/TemplateClassResolver.html#SAFER_RESOLVER
[2]
https://freemarker.apache.org/docs/ref_builtins_expert.html#ref_buitin_api_and_has_api
