I think it will break almost everything because most of our FTL is executing code anyways. You can try it yourself to see if it works.
On Sunday, May 17, 2020 09:41 +03, Jacques Le Roux <jacques.le.r...@les7arts.com> wrote: Hi, After reading https://ackcent.com/blog/in-depth-freemarker-template-injection/ I wonder why we have not TemplateClassResolver.SAFER_RESOLVER[1] used by default, like there is: The api_builtin_enabled configuration setting must be set to true. Its default is false (at least as of 2.3.22) for not lowering the security of existing applications.[2] Is there a reason? Thanks Jacques [1] https://freemarker.apache.org/docs/api/freemarker/core/TemplateClassResolver.html#SAFER_RESOLVER [2] https://freemarker.apache.org/docs/ref_builtins_expert.html#ref_buitin_api_and_has_api
