On Mon, Jan 4, 2010 at 3:46 PM, Erdinc Yilmazel <erdincyilma...@gmail.com>wrote:
> Hi everybody, I've been working on a new template engine that may be used > in web application development as an alternative to Freemarker, JSP etc. It > is still in active development and I desperately need feedback from > experienced java developers at this point to shape its usage scenarios and > its API. If you are interested to have a look at it, please go to > http://code.google.com/p/cambridge/ where you can view the Wiki or > checkout the source code. Cambridge Template Engine is an open source > library with Apache 2 license. > > > The one thing that jumped out at me (from the docs — I haven't had a chance to play yet) is how you handle escaping. Or don't, I'm not sure. You do state that “Cambridge is designed especially for generating HTML, XML or any markup content,” so I figure it's important to be able to produce such output correctly. For example, if I set the name variable to <script>alert('hi!')</script>, and run it through the template <h1>${name}</h1> then does Cambridge output: 1. <h1><script>alert('hi!')</script></h1> 2. <h1><script>alert('hi!')</script></h1> This is incredibly important for security reasons (cross site scripting<http://en.wikipedia.org/wiki/Cross-site_scripting>). Now, this isn't good enough for all cases. There are times when you still need to insert markup directly. So, you need some kind of backdoor, say ${name|xss}, to allow this. Thankfully modern templating systems are starting to behave like this (both rails and django now escape by default). It's shocking quite how long this problem has been around though. -Dom -- You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to javapo...@googlegroups.com. To unsubscribe from this group, send email to javaposse+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.