velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Treague, Keith" <Keith.Trea...@merrillcorp.com>
Subject RE: Should I use velocity?
Date Tue, 30 Mar 2010 22:22:44 GMT
Can you please elaborate how?

-----Original Message-----
From: Alexander Krasnukhin [mailto:the.malkolm@gmail.com] 
Sent: Tuesday, March 30, 2010 4:02 PM
To: Velocity Users List
Subject: Re: Should I use velocity?

Yes. User could execute arbitrary java methods from a template.

On 31 March 2010 03:59, Treague, Keith <Keith.Treague@merrillcorp.com>wrote:

> I'm looking for a templating engine that can take a set of data I give it,
> put it into an html template, and then I'll either return that to a web
> browser or send that out as an e-mail. The catch is I want my users to be
> able to edit the template itself.
>
> My concern is if they are editing the template, is there any way they can
> create a malicious template that will execute malicious code on the server
> such as calling various services on the server to get unauthorized info or
> grant themselves additional access? If you can execute arbitrary java
> methods from a template I can't use it. Any input I'd appreciate!
>
> (sorry if you get this twice, the first time I sent it I wasn't subscribed
> yet)
>



-- 
Regards,
Alexander

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org


Mime
View raw message