i'm new with freemarker, i need know about this problem too choose it or not, i will strip XSS by myself but i dont know are other features of freemarker safe when site allow user edit their template?
A:
Oh, goodness no! This is basically equivalent to allowing the user to evaluate arbitrary code. Removing XSS after the fact only removes one potential vulnerability. They'll still be able to do plenty of other things like manipulate POST parameters or perform page redirects.
John Feminella
2009-05-24 03:33:58
Is it have any options to block some built-in var like Request ...?
StoneHeart
2009-05-24 03:55:26
A:
John is right. And letting the user actually edit freemarker templates themselves seems odd. If you are outputting user input again (like displaying the search term on the results page) I'd suggest using the using the ?html string built-in, it'll save you from the most rudimentary xss attacks (e.g. "you searched for '${term?html}'").
andynu
2009-06-04 21:12:37