Hi Daniel, yes, I disabled them since I assume that they will be the default settings
Thanks in advance Siegfried Goeschl > On 11.10.2020, at 20:42, Daniel Dekany <daniel.dek...@gmail.com> wrote: > > I noticed that ?api and ?new are by default disabled in > freemarker-generator. However, freemarker-generator is inherently unsafe, > as it has tools.freemarker.objectConstructor, and tools.freemarker.statics. > For a command-line tool that's probably fine, but then above two > configuration settings should be left on their convenient defaults as well. > > In general, allowing someone to specify arbitrary command line arguments > to freemarker-generator CLI means that they can do pretty much anything (as > they can provide an arbitrary template with the -i option, then access the > tools). Again, I think such risk is expected from a command line tool, but > it's better if we are conscious about this. > > -- > Best regards, > Daniel Dekany
