Is freemarker safe when user can edit their template

Question

Is freemarker safe when user can edit their template

I'm new to freemarker, I need to know about this issue, also choose it or not, I will strip XSS myself, but I don't know if the other freemarker features are safe when the site allows the user to edit their template?

0

freemarker

StoneHeart May 24 '09 at 3:18 am

a source to share

3 answers

John feminella · Answer 1 · 2009-05-24T03:33:58+0000

Oh god no! This is basically equivalent to allowing the user to evaluate arbitrary code. Removing XSS after the fact only addresses one potential vulnerability. They will still be able to do a lot of other things, like manipulating POST parameters or performing page redirects.

andynu · Answer 2 · 2009-06-04T21:12:37+0000

John is right. And letting the user actually edit the freemarker templates themselves seems strange. If you re-enter user input (for example, display your search query on the results page), I would suggest using with an inline inline html string, this saves you the most basic xss attacks (eg "you searched" '$ {term? HTML} '").

ddekany · Answer 3 · 2011-06-08T15:48:57+0000

So as others have said, it is not safe. However, if these users are employees of your company or something like that (that is, if they are easily accountable for malicious acts), then this is not entirely out of the question. See http://freemarker.org/docs/app_faq.html#faq_template_uploading_security for details

Is freemarker safe when user can edit their template

More articles: