-
Type: Clean up
-
Status: Open
-
Priority: Minor
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: QualifiedToSchedule
-
Component/s: Code Refactoring (Global)
Since FreeMarker 2.3.24 it's possible to associate an output format to FreeMarker templates, either by code or by using specific extensions.
We should take advantage of that and escape everything by default, to avoid undiagnosed XSS issues.
References:
http://freemarker.org/docs/dgui_misc_autoescaping.html
http://freemarker.org/docs/pgui_config_outputformatsautoesc.html
http://stackoverflow.com/questions/1265488/default-escaping-in-freemarker#36294233