[NXP-21695] Upgrade FreeMarker and use escaping by default - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Clean up
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: QualifiedToSchedule
Component/s: Code Refactoring (Global)

Tags:
- nxcore
- security
Story Points:
5

Description

Since FreeMarker 2.3.24 it's possible to associate an output format to FreeMarker templates, either by code or by using specific extensions.

We should take advantage of that and escape everything by default, to avoid undiagnosed XSS issues.

References:
http://freemarker.org/docs/dgui_misc_autoescaping.html
http://freemarker.org/docs/pgui_config_outputformatsautoesc.html
http://stackoverflow.com/questions/1265488/default-escaping-in-freemarker#36294233

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Florent Guillaume

Participants:

Florent Guillaume

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2017-02-22 20:59

Updated:

2018-03-15 16:10