include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example With https://github.com/samskivert/jmustache[JMustache by samskivert]: ---- Mustache.compiler().escapeHTML(false).compile(template).execute(context); // Sensitive Mustache.compiler().withEscaper(Escapers.NONE).compile(template).execute(context); // Sensitive ---- With https://freemarker.apache.org/[Freemarker]: ---- freemarker.template.Configuration configuration = new freemarker.template.Configuration(); configuration.setAutoEscapingPolicy(DISABLE_AUTO_ESCAPING_POLICY); // Sensitive ---- == Compliant Solution With https://github.com/samskivert/jmustache[JMustache by samskivert]: [source,java] ---- Mustache.compiler().compile(template).execute(context); // Compliant, auto-escaping is enabled by default Mustache.compiler().escapeHTML(true).compile(template).execute(context); // Compliant ---- With https://freemarker.apache.org/[Freemarker]. See https://freemarker.apache.org/docs/api/freemarker/template/Configuration.html#setAutoEscapingPolicy-int-["setAutoEscapingPolicy" documentation] for more details. [source,java] ---- freemarker.template.Configuration configuration = new freemarker.template.Configuration(); configuration.setAutoEscapingPolicy(ENABLE_IF_DEFAULT_AUTO_ESCAPING_POLICY); // Compliant ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) === on 27 Jan 2021, 11:01:55 Quentin Jaquier wrote: Other template engine considered, but discarded because they do not have a way to disable the escaping globally: * https://www.thymeleaf.org/[Thymleaf]: Auto-escaping is the default. It is not possible to disable it globally in the Java code, https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#unescaped-text[un-escaped text] can be done only in the HTML file. * https://github.com/spullara/mustache.java[JMustache by spullara]: Same as Thymleaf. In addition, it is possible https://groups.google.com/g/mustachejava/c/7qh3Ar8MHsc/m/zKc2fvdPAQAJ[to overwrite the behavior by overwriting "encode()" method], but this seems like a workaround and is really not likely to be done by inadvertance without knowing what you are doing. * https://pebbletemplates.io/[Pebble Templates] https://pebbletemplates.io/wiki/guide/escaping/[Auto-escaping enabled by default]. Only possible to disable it via the https://pebbletemplates.io/wiki/filter/raw/[raw filter], not globally in the Java code. include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]