From commits-return-3569-archive-asf-public=cust-asf.ponee.io@velocity.apache.org Mon Mar 11 00:29:19 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 60D03180672 for ; Mon, 11 Mar 2019 01:29:19 +0100 (CET) Received: (qmail 24446 invoked by uid 500); 11 Mar 2019 00:29:18 -0000 Mailing-List: contact commits-help@velocity.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@velocity.apache.org Delivered-To: mailing list commits@velocity.apache.org Received: (qmail 24436 invoked by uid 99); 11 Mar 2019 00:29:18 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Mar 2019 00:29:18 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id AC9E83A2D11 for ; Mon, 11 Mar 2019 00:29:17 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1855185 [2/2] - in /velocity/site/cms/trunk/content/engine/2.1: configuration-property-changes-in-2.1.mdtext configuration.mdtext developer-guide.mdtext upgrading.mdtext user-guide.mdtext vtl-reference.mdtext webapps.mdtext Date: Mon, 11 Mar 2019 00:29:17 -0000 To: commits@velocity.apache.org From: cbrisson@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20190311002917.AC9E83A2D11@svn01-us-west.apache.org> Modified: velocity/site/cms/trunk/content/engine/2.1/webapps.mdtext URL: http://svn.apache.org/viewvc/velocity/site/cms/trunk/content/engine/2.1/webapps.mdtext?rev=1855185&r1=1855184&r2=1855185&view=diff ============================================================================== --- velocity/site/cms/trunk/content/engine/2.1/webapps.mdtext (original) +++ velocity/site/cms/trunk/content/engine/2.1/webapps.mdtext Mon Mar 11 00:29:17 2019 @@ -38,14 +38,14 @@ The simplest replacement for FileResourc If you are using the VelocityViewServlet, then it is automatically configured and ready to use the WebappResourceLoader. So if you want to change the configured path(s), you need only add a line like the following to your velocity.properties: :::properties - webapp.resource.loader.path=/WEB-INF/mytemplates/ + resource.loader.webapp.path=/WEB-INF/mytemplates/ If you need to set the WebappResourceLoader up on your own, then you can make your properties something like this: :::properties - resource.loader=webapp - webapp.resource.loader.class=org.apache.velocity.tools.view.WebappResourceLoader - webapp.resource.loader.path=/WEB-INF/mytemplates/ + resource.loader = webapp + resource.loader.webapp.class = org.foo.WebappResourceLoader + resource.loader.webapp.path = /WEB-INF/mytemplates/ You will **also need to put the ServletContext into your VelocityEngine's application attributes** before initializing that Engine. This is how the WebappResourceLoader knows how to find templates. @@ -83,7 +83,7 @@ Any user-entered text that contains spec However, Velocity provides the ability to specify a `ReferenceInsertionEventHandler` which will alter the value of a reference before it is inserted into the page. Specifically, you can configure the `EscapeHtmlReference` handler into your `velocity.properties` file to escape all references (optionally) matching a regular expression. The following example will escape HTML entities in any reference that starts with "msg" (e.g. `$msgText`). :::properties - eventhandler.referenceinsertion.class = org.apache.velocity.app.event.implement.EscapeHtmlReference + eventhandler.reference_insertion.class = org.apache.velocity.app.event.implement.EscapeHtmlReference eventhandler.escape.html.match = /msg.*/ Note that other kinds of escaping are sometimes required. For example, in style sheets the @ character needs to be escaped, and in Javascript strings the single apostrophe ' needs to be escaped. @@ -93,7 +93,7 @@ Note that other kinds of escaping are so Since a web application is running on a central server, that typically has multiple users and confidential resources, care must be taken to make certain that the web application is secure. Most standard web security principles apply to a web application built with Velocity. A few specific issues (such as system configuration, more on cross-site scripting, and method introspection) are written up in this article on [Building Secure Applications with Velocity](http://wiki.apache.org/velocity/BuildingSecureWebApplications). In particular, you may want to prevent template designers from including "dangerous" reflection-related methods by specifying the `SecureUberspector` to get/set properties and execute method calls. :::properties - runtime.introspector.uberspect = org.apache.velocity.util.introspection.SecureUberspector + runtime.introspector.uberspect.class = org.apache.velocity.util.introspection.SecureUberspector ### Logging