Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Escaping quotes in velocity template

Tags:

I have a java method, that takes a few strings. This method needs to be called from a Velocity Template. However, the strings are too complex, with lots of single quotes, double quotes and commas as well. As a result merge is failing. Is there a way to escape quotes in Velocity?

like image 316
Krishna Sarma Avatar asked Oct 25 '13 01:10

Krishna Sarma

People also ask

How do you escape velocity template?

Velocity allows for explicit escaping of References and Directives using the \ (backslash) character. If the character following the \ would start a new directive or reference, then this character is output verbatim. This can lead to some unexpected behaviour, especially with directives.

How do you escape quotation marks?

Alternatively, you can use a backslash \ to escape the quotation marks.

Is double quote a Escape character?

“Double quotes 'escape' double quotes“ When using double quotes "" to create a string literal, the double quote character needs to be escaped using a backslash: \" .

What is velocity and Freemarker?

Velocity and FreeMarker are two templating languages that can both be used as view technologies within Spring MVC applications. The languages are quite similar and serve similar needs and so are considered together in this section.

What is the XSS vulnerability in velocity templates?

Rendering data from untrusted sources in Velocity templates can result in XSS vulnerabilities if the data has not been html encoded. As of JIRA 5.1, we have introduced the ability to opt into automatic HTML escaping for all references

How to avoid escaping when a specific reference is evaluated?

In order to avoid escaping when a specific reference is evaluated you only need to append the string "html" at the end of the reference. For instance:

How to avoid HTML escaping when method call is evaluated?

Html escaping will not be applied when it is evaluated, the output will be: This should not be escaped, therefore rendering in red colour. In order to avoid escaping when a specific method call is evaluated you only need to append the string "html" at the end of the method's name, or alternatively, annotate the method as @HtmlSafe.

2 Answers

It depends on which version of Velocity you're using. Velocity 1.7 has clear rules for escaping quotes: just double the same type of quotes used to wrap the string:

$object.callMethod('Let''s have fun with "quotes"',   "Let's have fun with ""quotes""")

Prior to that, there were some fuzzy rules with backslash escapes that didn't always work as expected.

like image 99
Sergiu Dumitriu Avatar answered Sep 19 '22 00:09

Sergiu Dumitriu

See the Velocity Escape Tool:

https://velocity.apache.org/tools/2.0/apidocs/org/apache/velocity/tools/generic/EscapeTool.html

like image 45
Alan Hay Avatar answered Sep 21 '22 00:09

Alan Hay
Sign in to Comment

Related questions

Leaving values blank if not passed in str.format
How to check if list of strings are present in command output in Ansible?
Comments in freemarker template and smooks
What is the difference between "Set" and "Add" for ObjectCache?
Loop over two generator together
Does the C preprocessor remove instances of "&*"?
Django - Why should I ever use the render_to_response at all?
Pass command line parameters to uwsgi script
Python 'is' vs JavaScript ===
When performing post via ajax, Bad Request is returned instead of the JSON result
Use a custom contextual action bar for WebView text selection
What is the purpose of using synchronized (Thread.currentThread()){...} in Java?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!