Removed web-*.dtd-s from FreeMarker

2017-01-13 Thread Daniel Dekany 
I have removed these from the project (in 2.3.26):

src/main/resources/freemarker/ext/jsp/web-app_2_2.dtd
src/main/resources/freemarker/ext/jsp/web-app_2_3.dtd
src/main/resources/freemarker/ext/jsp/web-jsptaglibrary_1_1.dtd
src/main/resources/freemarker/ext/jsp/web-jsptaglibrary_1_2.dtd

Instead we operate with dummy 0 length DTD-s. That should work, as the
real DTD-s don't define any default attributes or entities, and
validation is turned off. But it's untested, so, if anyone can test is
(with web.xml and taglibs that still use DTD instead of Schema),
please do and report back!

The point of this was to simplify legal things. At this point, we
don't include anything in freemarker.jar that was developed outside
the FreeMarker project.

BTW, this was https://issues.apache.org/jira/browse/FREEMARKER-17.

-- 
Thanks,
 Daniel Dekany

Re: Looking for help to maintain/improve the graphics of Freemarker

2017-01-13 Thread Julien NICOLAS 
I'm agree that the  is visually better and better for understanding 
as well.


For the egg, I wanted to make it ^^ But you're right, project use this 
logo in addition of the project logo (http://incubator.apache.org/)


A new try here : 
https://drive.google.com/open?id=0B5BwTaGcWGtNLU0wQmFiUElFc2c


Some light effects and a new filetype logo.

Julien.


On 13/01/2017 18:54, brede...@me.com wrote:

Hi Daniel,

<#> may be closer to the FreeMarker syntax but  relates more to the 
FreeMarker name‎ and would be better for marketing purposes.

-- Denis.
   Original Message
From: Julien NICOLAS
Sent: Friday, 13 January 2017 16:23
To: dev@freemarker.incubator.apache.org
Reply To: dev@freemarker.incubator.apache.org
Subject: Re: Looking for help to maintain/improve the graphics of Freemarker

Hi Daniel,

Here a new try with the egg logo for Apache Incubator ;)

https://drive.google.com/open?id=0B5BwTaGcWGtNdlVRWE42TklZM1U

Let me know your opinion and if you want another way / idea

Julien.


On 12/01/2017 15:37, Daniel Dekany wrote:

Thursday, January 12, 2017, 2:51:22 PM, Julien NICOLAS wrote:


Hi,

I have done a little job to create the tiny logo for Freemarker.

To be sure that I'm not on the wrong way.

Please find it in my share folder :
https://drive.google.com/open?id=0B5BwTaGcWGtNblNjY2tITVVScFk

I like first two rows. My pick would be the 2nd logo of the 1st row
(rounded corners, pale blue). (To me it a bit feels like as if the F
should be moved up and left a little to be at the visual center,
instead of being geometrically at the center, but that's a minor
thing.)

Semantically, <#> would make more sense, as that how FreeMarker tags
look (<#something>), but if that can't be made to look that good, it
can be the  as well.


It's a svg file so, no problem of pixel, blured and so on.

In continue the work for the "biggest" logo

The "biggest" logo? You just mean the header area on twitter, or do
you intend to create a replacement for the header "logo" on
freemarker.org? (That's possible too.)


and the egg. I'm not sure about the big "

(Here again, it would be the best if that starts with "<#", if that's
not a big problem visually.)


but I like the .

I think about a blank file icon with the ... I'll provide an example
soon.

Julien.

On 11/01/2017 16:50, Jacopo Cappellato wrote:

The Freemarker project is looking for some help to improve or change some
of its graphic elements e.g. a higher resolution logo for Twitter, some
design work to include the Apache Incubator "egg" and the beloved Apache
"feather" etc...

Volunteers?

Jacopo

Re: Looking for help to maintain/improve the graphics of Freemarker

2017-01-13 Thread bredelet 
Hi Daniel,

<#> may be closer to the FreeMarker syntax but  relates more to the 
FreeMarker name‎ and would be better for marketing purposes. 

-- Denis.
  Original Message  
From: Julien NICOLAS
Sent: Friday, 13 January 2017 16:23
To: dev@freemarker.incubator.apache.org
Reply To: dev@freemarker.incubator.apache.org
Subject: Re: Looking for help to maintain/improve the graphics of Freemarker

Hi Daniel,

Here a new try with the egg logo for Apache Incubator ;)

https://drive.google.com/open?id=0B5BwTaGcWGtNdlVRWE42TklZM1U

Let me know your opinion and if you want another way / idea

Julien.


On 12/01/2017 15:37, Daniel Dekany wrote:
> Thursday, January 12, 2017, 2:51:22 PM, Julien NICOLAS wrote:
>
>> Hi,
>>
>> I have done a little job to create the tiny logo for Freemarker.
>>
>> To be sure that I'm not on the wrong way.
>>
>> Please find it in my share folder :
>> https://drive.google.com/open?id=0B5BwTaGcWGtNblNjY2tITVVScFk
> I like first two rows. My pick would be the 2nd logo of the 1st row
> (rounded corners, pale blue). (To me it a bit feels like as if the F
> should be moved up and left a little to be at the visual center,
> instead of being geometrically at the center, but that's a minor
> thing.)
>
> Semantically, <#> would make more sense, as that how FreeMarker tags
> look (<#something>), but if that can't be made to look that good, it
> can be the  as well.
>
>> It's a svg file so, no problem of pixel, blured and so on.
>>
>> In continue the work for the "biggest" logo
> The "biggest" logo? You just mean the header area on twitter, or do
> you intend to create a replacement for the header "logo" on
> freemarker.org? (That's possible too.)
>
>> and the egg. I'm not sure about the big "
> (Here again, it would be the best if that starts with "<#", if that's
> not a big problem visually.)
>
>> but I like the .
>>
>> I think about a blank file icon with the ... I'll provide an example
>> soon.
>>
>> Julien.
>>
>> On 11/01/2017 16:50, Jacopo Cappellato wrote:
>>> The Freemarker project is looking for some help to improve or change some
>>> of its graphic elements e.g. a higher resolution logo for Twitter, some
>>> design work to include the Apache Incubator "egg" and the beloved Apache
>>> "feather" etc...
>>>
>>> Volunteers?
>>>
>>> Jacopo
>>>
>>

Re: Looking for help to maintain/improve the graphics of Freemarker

2017-01-13 Thread Daniel Dekany 
Friday, January 13, 2017, 8:09:42 PM, Daniel Dekany wrote:

> Friday, January 13, 2017, 5:23:10 PM, Julien NICOLAS wrote:
>
>> Hi Daniel,
>>
>> Here a new try with the egg logo for Apache Incubator ;)
>>
>> https://drive.google.com/open?id=0B5BwTaGcWGtNdlVRWE42TklZM1U
>>
>> Let me know your opinion and if you want another way / idea
>
> Apache does have one or a few official Incubator logos. I suppose we
> must use one of those, or at least we shouldn't change it much. The
> goal is simply that we insert the official incubator logo somewhere on
> http://freemarker.org/, with damaging the functionality and look as
> little as possible. (It shouldn't be reasonably noticable without
> scrolling.)

I wanted to write "It *should* be reasonably noticeable"...

>
> As of the "<#>", a bit less nice, but makes more sense semantically...
> I think that's a good compromise (for a Twitter logo). Perhaps the
> shape of the # and spacing around in could be tweaked to look better,
> but I don't know.
>
>> Julien.

-- 
Thanks,
 Daniel Dekany

Re: Looking for help to maintain/improve the graphics of Freemarker

2017-01-13 Thread Daniel Dekany 
Friday, January 13, 2017, 5:23:10 PM, Julien NICOLAS wrote:

> Hi Daniel,
>
> Here a new try with the egg logo for Apache Incubator ;)
>
> https://drive.google.com/open?id=0B5BwTaGcWGtNdlVRWE42TklZM1U
>
> Let me know your opinion and if you want another way / idea

Apache does have one or a few official Incubator logos. I suppose we
must use one of those, or at least we shouldn't change it much. The
goal is simply that we insert the official incubator logo somewhere on
http://freemarker.org/, with damaging the functionality and look as
little as possible. (It shouldn't be reasonably noticable without
scrolling.)

As of the "<#>", a bit less nice, but makes more sense semantically...
I think that's a good compromise (for a Twitter logo). Perhaps the
shape of the # and spacing around in could be tweaked to look better,
but I don't know.

> Julien.
>
>
> On 12/01/2017 15:37, Daniel Dekany wrote:
>> Thursday, January 12, 2017, 2:51:22 PM, Julien NICOLAS wrote:
>>
>>> Hi,
>>>
>>> I have done a little job to create the tiny logo for Freemarker.
>>>
>>> To be sure that I'm not on the wrong way.
>>>
>>> Please find it in my share folder :
>>> https://drive.google.com/open?id=0B5BwTaGcWGtNblNjY2tITVVScFk
>> I like first two rows. My pick would be the 2nd logo of the 1st row
>> (rounded corners, pale blue). (To me it a bit feels like as if the F
>> should be moved up and left a little to be at the visual center,
>> instead of being geometrically at the center, but that's a minor
>> thing.)
>>
>> Semantically, <#> would make more sense, as that how FreeMarker tags
>> look (<#something>), but if that can't be made to look that good, it
>> can be the  as well.
>>
>>> It's a svg file so, no problem of pixel, blured and so on.
>>>
>>> In continue the work for the "biggest" logo
>> The "biggest" logo? You just mean the header area on twitter, or do
>> you intend to create a replacement for the header "logo" on
>> freemarker.org? (That's possible too.)
>>
>>> and the egg. I'm not sure about the big "
>> (Here again, it would be the best if that starts with "<#", if that's
>> not a big problem visually.)
>>
>>> but I like the .
>>>
>>> I think about a blank file icon with the ... I'll provide an example
>>> soon.
>>>
>>> Julien.
>>>
>>> On 11/01/2017 16:50, Jacopo Cappellato wrote:
 The Freemarker project is looking for some help to improve or change some
 of its graphic elements e.g. a higher resolution logo for Twitter, some
 design work to include the Apache Incubator "egg" and the beloved Apache
 "feather" etc...

 Volunteers?

 Jacopo

>>>
>
>

-- 
Thanks,
 Daniel Dekany

Re: Looking for help to maintain/improve the graphics of Freemarker

2017-01-13 Thread Julien NICOLAS 

Hi Daniel,

Here a new try with the egg logo for Apache Incubator ;)

https://drive.google.com/open?id=0B5BwTaGcWGtNdlVRWE42TklZM1U

Let me know your opinion and if you want another way / idea

Julien.


On 12/01/2017 15:37, Daniel Dekany wrote:

Thursday, January 12, 2017, 2:51:22 PM, Julien NICOLAS wrote:


Hi,

I have done a little job to create the tiny logo for Freemarker.

To be sure that I'm not on the wrong way.

Please find it in my share folder :
https://drive.google.com/open?id=0B5BwTaGcWGtNblNjY2tITVVScFk

I like first two rows. My pick would be the 2nd logo of the 1st row
(rounded corners, pale blue). (To me it a bit feels like as if the F
should be moved up and left a little to be at the visual center,
instead of being geometrically at the center, but that's a minor
thing.)

Semantically, <#> would make more sense, as that how FreeMarker tags
look (<#something>), but if that can't be made to look that good, it
can be the  as well.


It's a svg file so, no problem of pixel, blured and so on.

In continue the work for the "biggest" logo

The "biggest" logo? You just mean the header area on twitter, or do
you intend to create a replacement for the header "logo" on
freemarker.org? (That's possible too.)


and the egg. I'm not sure about the big "

(Here again, it would be the best if that starts with "<#", if that's
not a big problem visually.)


but I like the .

I think about a blank file icon with the ... I'll provide an example
soon.

Julien.

On 11/01/2017 16:50, Jacopo Cappellato wrote:

The Freemarker project is looking for some help to improve or change some
of its graphic elements e.g. a higher resolution logo for Twitter, some
design work to include the Apache Incubator "egg" and the beloved Apache
"feather" etc...

Volunteers?

Jacopo

Re: [FM3] Drop ext.jython, ext.javascript, ext.jdom

2017-01-13 Thread Daniel Dekany 
Friday, January 13, 2017, 2:03:01 PM, Mauricio Nuñez wrote:

> Well, FM3 can be reduced to a minimum, core and servlet ( IMHO ), dropping
> those dependencies.
>
> The different integrations can be managed outside of freemarker, ideally
> motivating new projects managed by new people. Just dreaming, but  for
> example, think in an scala-freemarker , clojure-freemarker, o
> nashorn-freemarker integrations.

Yes, that's basically the idea. How much such "extensions" will be
actually implemented (and by who) is another question of course. There
are at least 3 that surely should be done and should be managed under
the umbrella of the official FreeMarker project:

- freemaker-xml: Traverse/query W3C DOM (XML) trees dropped into the
  data-model. That's freemarker.ext.dom in FM2. FM3 is certainly not
  releasable if it's not ready.

- freemarker-servlet: Servlet integration (i.e., FreemarkerServlet)

- freemarker-jsp: JSP custom tag integration

But of course, first the freemarker-core has to be done...

(Speaking of "nashorn-freemarker" (or rather, freemarker-nashorn?), a
perhaps interesting fact: One of the two main developers of FM2,
Attila, was one of the developers of Nashorn at Oracle. AFAIK he did
most of the interaction between the JavaScript and Java word... pretty
hard core stuff.)

> Regards,
>
>
>
> 2017-01-12 11:50 GMT-03:00 Daniel Dekany :
>
>> The question here meant to be if we can *totally* get rid of those in
>> the subject in FM3.
>>
>> Otherwise, yes, there's a consensus regarding the modularity thing,
>> i.e., to have a quite minimal core (whether we call that
>> o.a.f:freemarker or o.a.f:freemarker-core, not decided yet) and then
>> additional modules like o.a.f:freemarker-servlet.
>>
>>
>> Thursday, January 12, 2017, 3:10:36 PM, Mauricio Nuñez wrote:
>>
>> > Hi,
>> >
>> > I agree with a minimal FM3 core and 3rd party dependencies/integrations
>> in
>> > extra modules. Maybe a secondary repository or project, like FM3-extras,
>> > separated from the main site.
>> >
>> > Regards,
>> >
>> > Mauricio
>> >
>> >
>> > 2017-01-12 10:56 GMT-03:00 Daniel Dekany :
>> >
>> >> As far as I know these aren't used much anymore. So I suggest we drop
>> >> them from FM3 (which isn't compatible with FM2 anyway). They would be
>> >> moved to separate Maven modules (jar-s like freemarker-jython)
>> >> otherwise. (If it ever turns out that people miss them in FM3, we can
>> >> always add a such module later.)
>> >>
>> >> Any objections/thoughts?
>> >>
>> >> --
>> >> Thanks,
>> >>  Daniel Dekany
>> >>
>> >>
>>
>> --
>> Thanks,
>>  Daniel Dekany
>>
>>

-- 
Thanks,
 Daniel Dekany

Re: [FM3] Further legacy things to drop...

2017-01-13 Thread Daniel Dekany 
Friday, January 13, 2017, 1:07:36 PM, Christoph Rüger wrote:

> 2017-01-13 1:17 GMT+01:00 Daniel Dekany :
>
>> Friday, January 13, 2017, 12:08:12 AM, Christoph Rüger wrote:
>>
>> > +1 for everything.
>> >
>> > additional security topics:
>> > use TemplateClassResolver.ALLOWS_NOTHING_RESOLVER by default to
>> > avoid template injection attacks.
>>
>> At least in FM2 you pull in your TemplateDirectiveModel-s and
>> TemplateMethodModel-s into #import/#include-able FTL-s with `?new`. I
>> can imagine much better mechanisms for that use-case though... But for
>> now, the point is that we can't just default to
>> ALLOWS_NOTHING_RESOLVER without giving an alternative first. But, now
>> that you say, I will delete those legacy "utility" TemplateModel-s
>> which make `?new` rather dangerous.
>>
>
> Yes, that's what I meant. e.g. "Execute
> "
> where can run code on the server:
>
> <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id")}

Yeah, that's my favorite... Obviously, the mind set back then was that
templates are just part of the source code like java files are. You
can do whatever you want in both.

> Source
> 
>
> I have another thing regarding XXE-Attacks in FM-XML-processing
> (regarding DocumentBuilderFactory
> in freemarker.ext.dom.NodeModel) where a different default behavior would
> be good IMO.
> I can give more details in a separate email if you want.

Please do! That affects FM2 too.

>> > 2017-01-12 23:58 GMT+01:00 Daniel Dekany :
>> > I have collected some further easy changes for FM3... Any comments?
>> >
>> > - Drop FTL classic compatible mode option (Roughly emulates FM1
>> >   behavior at null-s and at some type handling issues)
>> >
>> > - Drop FTL non-strict syntax option (FM1 syntax - that's where you
>> >   could write  instead of <#if x>).
>> >
>> > - Drop all the "public static void main(String[] args)" methods
>> (security concern)
>> >
>> > - Drop freemarker.log. That's a simple log adapter facility from the
>> >   ancient times of Java, kind of like commons-logging or slf4j. I
>> >   would instead introduce slf4j-api as a required dependency.
>> >
>> > - Drop legacy XML wrapper (freemarker.ext.xml, not to be confused with
>> >   freemarker.ext.dom)
>> >
>> > - Drop ant task (freemarker.ext.ant)
>> >
>> > --
>> > Thanks,
>> >  Daniel Dekany
>> >
>> >
>> >
>> >
>>
>> --
>> Thanks,
>>  Daniel Dekany
>>
>>
>
>
> -- 
> Christoph Rüger, Geschäftsführer
> Synesty  - Automatisierung, Schnittstellen, Datenfeeds
> Tel.: +49 3641/559649
>
> Xing: https://www.xing.com/profile/Christoph_Rueger2
> LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198
>

-- 
Thanks,
 Daniel Dekany

Re: [FM3] Drop ext.jython, ext.javascript, ext.jdom

2017-01-13 Thread Mauricio Nuñez 
Well, FM3 can be reduced to a minimum, core and servlet ( IMHO ), dropping
those dependencies.

The different integrations can be managed outside of freemarker, ideally
motivating new projects managed by new people. Just dreaming, but  for
example, think in an scala-freemarker , clojure-freemarker, o
nashorn-freemarker integrations.

Regards,



2017-01-12 11:50 GMT-03:00 Daniel Dekany :

> The question here meant to be if we can *totally* get rid of those in
> the subject in FM3.
>
> Otherwise, yes, there's a consensus regarding the modularity thing,
> i.e., to have a quite minimal core (whether we call that
> o.a.f:freemarker or o.a.f:freemarker-core, not decided yet) and then
> additional modules like o.a.f:freemarker-servlet.
>
>
> Thursday, January 12, 2017, 3:10:36 PM, Mauricio Nuñez wrote:
>
> > Hi,
> >
> > I agree with a minimal FM3 core and 3rd party dependencies/integrations
> in
> > extra modules. Maybe a secondary repository or project, like FM3-extras,
> > separated from the main site.
> >
> > Regards,
> >
> > Mauricio
> >
> >
> > 2017-01-12 10:56 GMT-03:00 Daniel Dekany :
> >
> >> As far as I know these aren't used much anymore. So I suggest we drop
> >> them from FM3 (which isn't compatible with FM2 anyway). They would be
> >> moved to separate Maven modules (jar-s like freemarker-jython)
> >> otherwise. (If it ever turns out that people miss them in FM3, we can
> >> always add a such module later.)
> >>
> >> Any objections/thoughts?
> >>
> >> --
> >> Thanks,
> >>  Daniel Dekany
> >>
> >>
>
> --
> Thanks,
>  Daniel Dekany
>
>

Re: [FM3] Further legacy things to drop...

2017-01-13 Thread Christoph Rüger 
2017-01-13 1:17 GMT+01:00 Daniel Dekany :

> Friday, January 13, 2017, 12:08:12 AM, Christoph Rüger wrote:
>
> > +1 for everything.
> >
> > additional security topics:
> > use TemplateClassResolver.ALLOWS_NOTHING_RESOLVER by default to
> > avoid template injection attacks.
>
> At least in FM2 you pull in your TemplateDirectiveModel-s and
> TemplateMethodModel-s into #import/#include-able FTL-s with `?new`. I
> can imagine much better mechanisms for that use-case though... But for
> now, the point is that we can't just default to
> ALLOWS_NOTHING_RESOLVER without giving an alternative first. But, now
> that you say, I will delete those legacy "utility" TemplateModel-s
> which make `?new` rather dangerous.
>

Yes, that's what I meant. e.g. "Execute
"
where can run code on the server:

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id")}
Source


I have another thing regarding XXE-Attacks in FM-XML-processing
(regarding DocumentBuilderFactory
in freemarker.ext.dom.NodeModel) where a different default behavior would
be good IMO.
I can give more details in a separate email if you want.



> > 2017-01-12 23:58 GMT+01:00 Daniel Dekany :
> > I have collected some further easy changes for FM3... Any comments?
> >
> > - Drop FTL classic compatible mode option (Roughly emulates FM1
> >   behavior at null-s and at some type handling issues)
> >
> > - Drop FTL non-strict syntax option (FM1 syntax - that's where you
> >   could write  instead of <#if x>).
> >
> > - Drop all the "public static void main(String[] args)" methods
> (security concern)
> >
> > - Drop freemarker.log. That's a simple log adapter facility from the
> >   ancient times of Java, kind of like commons-logging or slf4j. I
> >   would instead introduce slf4j-api as a required dependency.
> >
> > - Drop legacy XML wrapper (freemarker.ext.xml, not to be confused with
> >   freemarker.ext.dom)
> >
> > - Drop ant task (freemarker.ext.ant)
> >
> > --
> > Thanks,
> >  Daniel Dekany
> >
> >
> >
> >
>
> --
> Thanks,
>  Daniel Dekany
>
>


-- 
Christoph Rüger, Geschäftsführer
Synesty  - Automatisierung, Schnittstellen, Datenfeeds
Tel.: +49 3641/559649

Xing: https://www.xing.com/profile/Christoph_Rueger2
LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198

-- 
Synesty GmbH
Moritz-von-Rohr-Str. 1a
07745 Jena
Tel.: +49 3641 559649
Fax.: +49 3641 5596499
Internet: http://synesty.com

Geschäftsführer: Christoph Rüger
Unternehmenssitz: Jena
Handelsregister B beim Amtsgericht: Jena
Handelsregister-Nummer: HRB 508766
Ust-IdNr.: DE287564982