rspec/rules/S5247/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

With https://github.com/samskivert/jmustache[JMustache by samskivert]:

----
Mustache.compiler().escapeHTML(false).compile(template).execute(context); // Sensitive
Mustache.compiler().withEscaper(Escapers.NONE).compile(template).execute(context); // Sensitive
----
With https://freemarker.apache.org/[Freemarker]:

----
freemarker.template.Configuration configuration = new freemarker.template.Configuration();
configuration.setAutoEscapingPolicy(DISABLE_AUTO_ESCAPING_POLICY); // Sensitive
----

== Compliant Solution

With https://github.com/samskivert/jmustache[JMustache by samskivert]:

[source,java]
----
Mustache.compiler().compile(template).execute(context); // Compliant, auto-escaping is enabled by default
Mustache.compiler().escapeHTML(true).compile(template).execute(context); // Compliant
----
With https://freemarker.apache.org/[Freemarker]. See https://freemarker.apache.org/docs/api/freemarker/template/Configuration.html#setAutoEscapingPolicy-int-["setAutoEscapingPolicy" documentation] for more details. 

[source,java]
----
freemarker.template.Configuration configuration = new freemarker.template.Configuration();
configuration.setAutoEscapingPolicy(ENABLE_IF_DEFAULT_AUTO_ESCAPING_POLICY); // Compliant
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 27 Jan 2021, 11:01:55 Quentin Jaquier wrote:
Other template engine considered, but discarded because they do not have a way to disable the escaping globally:


* https://www.thymeleaf.org/[Thymleaf]:
Auto-escaping is the default. It is not possible to disable it globally in the Java code, https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#unescaped-text[un-escaped text] can be done only in the HTML file.


* https://github.com/spullara/mustache.java[JMustache by spullara]:
Same as Thymleaf. In addition, it is possible https://groups.google.com/g/mustachejava/c/7qh3Ar8MHsc/m/zKc2fvdPAQAJ[to overwrite the behavior by overwriting "encode()" method], but this seems like a workaround and is really not likely to be done by inadvertance without knowing what you are doing.


* https://pebbletemplates.io/[Pebble Templates]
https://pebbletemplates.io/wiki/guide/escaping/[Auto-escaping enabled by default]. Only possible to disable it via the https://pebbletemplates.io/wiki/filter/raw/[raw filter], not globally in the Java code.

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`With https://github.com/samskivert/jmustache[JMustache by samskivert]:`

			`----`
			`Mustache.compiler().escapeHTML(false).compile(template).execute(context); // Sensitive`
			`Mustache.compiler().withEscaper(Escapers.NONE).compile(template).execute(context); // Sensitive`
			`----`
			`With https://freemarker.apache.org/[Freemarker]:`

			`----`
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			`freemarker.template.Configuration configuration = new freemarker.template.Configuration();`
			`configuration.setAutoEscapingPolicy(DISABLE_AUTO_ESCAPING_POLICY); // Sensitive`
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`----`

			`== Compliant Solution`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			`With https://github.com/samskivert/jmustache[JMustache by samskivert]:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`----`
			`Mustache.compiler().compile(template).execute(context); // Compliant, auto-escaping is enabled by default`
			`Mustache.compiler().escapeHTML(true).compile(template).execute(context); // Compliant`
			`----`
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			`With https://freemarker.apache.org/[Freemarker]. See https://freemarker.apache.org/docs/api/freemarker/template/Configuration.html#setAutoEscapingPolicy-int-["setAutoEscapingPolicy" documentation] for more details.`
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`----`
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			`freemarker.template.Configuration configuration = new freemarker.template.Configuration();`
			`configuration.setAutoEscapingPolicy(ENABLE_IF_DEFAULT_AUTO_ESCAPING_POLICY); // Compliant`
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 27 Jan 2021, 11:01:55 Quentin Jaquier wrote:`
			`Other template engine considered, but discarded because they do not have a way to disable the escaping globally:`


			`* https://www.thymeleaf.org/[Thymleaf]:`
			`Auto-escaping is the default. It is not possible to disable it globally in the Java code, https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#unescaped-text[un-escaped text] can be done only in the HTML file.`


			`* https://github.com/spullara/mustache.java[JMustache by spullara]:`
			`Same as Thymleaf. In addition, it is possible https://groups.google.com/g/mustachejava/c/7qh3Ar8MHsc/m/zKc2fvdPAQAJ[to overwrite the behavior by overwriting "encode()" method], but this seems like a workaround and is really not likely to be done by inadvertance without knowing what you are doing.`


			`* https://pebbletemplates.io/[Pebble Templates]`
			`https://pebbletemplates.io/wiki/guide/escaping/[Auto-escaping enabled by default]. Only possible to disable it via the https://pebbletemplates.io/wiki/filter/raw/[raw filter], not globally in the Java code.`

			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`