ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5247/java/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

71 lines
2.6 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
With https://github.com/samskivert/jmustache[JMustache by samskivert]:
----
Mustache.compiler().escapeHTML(false).compile(template).execute(context); // Sensitive
Mustache.compiler().withEscaper(Escapers.NONE).compile(template).execute(context); // Sensitive
----
With https://freemarker.apache.org/[Freemarker]:
----
freemarker.template.Configuration configuration = new freemarker.template.Configuration();
configuration.setAutoEscapingPolicy(DISABLE_AUTO_ESCAPING_POLICY); // Sensitive
----
== Compliant Solution
With https://github.com/samskivert/jmustache[JMustache by samskivert]:
[source,java]
----
Mustache.compiler().compile(template).execute(context); // Compliant, auto-escaping is enabled by default
Mustache.compiler().escapeHTML(true).compile(template).execute(context); // Compliant
----
With https://freemarker.apache.org/[Freemarker]. See https://freemarker.apache.org/docs/api/freemarker/template/Configuration.html#setAutoEscapingPolicy-int-["setAutoEscapingPolicy" documentation] for more details.
[source,java]
----
freemarker.template.Configuration configuration = new freemarker.template.Configuration();
configuration.setAutoEscapingPolicy(ENABLE_IF_DEFAULT_AUTO_ESCAPING_POLICY); // Compliant
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 27 Jan 2021, 11:01:55 Quentin Jaquier wrote:
Other template engine considered, but discarded because they do not have a way to disable the escaping globally:
* https://www.thymeleaf.org/[Thymleaf]:
Auto-escaping is the default. It is not possible to disable it globally in the Java code, https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#unescaped-text[un-escaped text] can be done only in the HTML file.
* https://github.com/spullara/mustache.java[JMustache by spullara]:
Same as Thymleaf. In addition, it is possible https://groups.google.com/g/mustachejava/c/7qh3Ar8MHsc/m/zKc2fvdPAQAJ[to overwrite the behavior by overwriting "encode()" method], but this seems like a workaround and is really not likely to be done by inadvertance without knowing what you are doing.
* https://pebbletemplates.io/[Pebble Templates]
https://pebbletemplates.io/wiki/guide/escaping/[Auto-escaping enabled by default]. Only possible to disable it via the https://pebbletemplates.io/wiki/filter/raw/[raw filter], not globally in the Java code.
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink