FreeMarker 自動轉義和格式化HTML和XML輸出，預防xss

時間 2019-11-16

標籤 freemarker 自動轉義格式化 html xml 輸出預防 xss 欄目 FreeMarker 简体版

原文原文鏈接

這種自動轉義須要FreeMarker 版本大於等於2.3.24。若是你不得不使用一個更早的版本，請使用過期的escape指令替代。javascript

不過考慮到官網上最近的標註2.3.25已是穩定版，建議升級css

Latest stable release: 2.3.25-incubating

Released on 2016-06-26. Requires J2SE 1.5 or higher.html

<dependency>java

<groupId>org.freemarker</groupId>json

<artifactId>freemarker</artifactId>api

<version>2.3.25-incubating</version>app

</dependency>ui

全部的以ftlh和ftlx爲擴展名的freemarker模板都會自動關聯到HTML和XML輸出格式，預約義的輸出格式以下：spa

Name	Description	MIME Type	Default implementation (`freemarker.core.*`)
`HTML`	Escapes `<`, `>`, `&`, `"`, `'` as `<`, `>`, `&`, `"`, `'`	`text/html`	`HTMLOutputFormat.INSTANCE`
`XHTML`	Escapes `<`, `>`, `&`, `"`, `'` as `<`, `>`, `&`, `"`, `'`	`application/xhtml+xml`	`XHTMLOutputFormat.INSTANCE`
`XML`	Escapes `<`, `>`, `&`, `"`, `'` as `<`, `>`, `&`, `"`, `'`	`application/xml`	`XMLOutputFormat.INSTANCE`
`RTF`	Escapes `{`, `}`, `\` as `\{`, `\}`, `\\`	`application/rtf`	`RTFOutputFormat.INSTANCE`
`undefined`	Doesn't escape. Prints markup output values (concept explainedlater) from other output formats as is. The default output format used when no output format was explicitly set in the configuration.	None (`null`)	`UndefinedOutputFormat.INSTANCE`
`plainText`	Doesn't escape.	`text/plain`	`PlainTextOutputFormat.INSTANCE`
`JavaScript`	Doesn't escape.	`application/javascript`	`JavaScriptOutputFormat.INSTANCE`
`JSON`	Doesn't escape.	`application/json`	`JSONOutputFormat.INSTANCE`
`CSS`	Doesn't escape.	`text/css`	`CSSOutputFormat.INSTANCE`