Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Escaping quotes in velocity template

Tags:

I have a java method, that takes a few strings. This method needs to be called from a Velocity Template. However, the strings are too complex, with lots of single quotes, double quotes and commas as well. As a result merge is failing. Is there a way to escape quotes in Velocity?

like image 316
Krishna Sarma Avatar asked Oct 25 '13 01:10

Krishna Sarma


People also ask

How do you escape velocity template?

Velocity allows for explicit escaping of References and Directives using the \ (backslash) character. If the character following the \ would start a new directive or reference, then this character is output verbatim. This can lead to some unexpected behaviour, especially with directives.

How do you escape quotation marks?

Alternatively, you can use a backslash \ to escape the quotation marks.

Is double quote a Escape character?

“Double quotes 'escape' double quotes“ When using double quotes "" to create a string literal, the double quote character needs to be escaped using a backslash: \" .

What is velocity and Freemarker?

Velocity and FreeMarker are two templating languages that can both be used as view technologies within Spring MVC applications. The languages are quite similar and serve similar needs and so are considered together in this section.

What is the XSS vulnerability in velocity templates?

Rendering data from untrusted sources in Velocity templates can result in XSS vulnerabilities if the data has not been html encoded. As of JIRA 5.1, we have introduced the ability to opt into automatic HTML escaping for all references

How to avoid escaping when a specific reference is evaluated?

In order to avoid escaping when a specific reference is evaluated you only need to append the string "html" at the end of the reference. For instance:

How to avoid HTML escaping when method call is evaluated?

Html escaping will not be applied when it is evaluated, the output will be: This should not be escaped, therefore rendering in red colour. In order to avoid escaping when a specific method call is evaluated you only need to append the string "html" at the end of the method's name, or alternatively, annotate the method as @HtmlSafe.


2 Answers

It depends on which version of Velocity you're using. Velocity 1.7 has clear rules for escaping quotes: just double the same type of quotes used to wrap the string:

$object.callMethod('Let''s have fun with "quotes"',   "Let's have fun with ""quotes""") 

Prior to that, there were some fuzzy rules with backslash escapes that didn't always work as expected.

like image 99
Sergiu Dumitriu Avatar answered Sep 19 '22 00:09

Sergiu Dumitriu


See the Velocity Escape Tool:

https://velocity.apache.org/tools/2.0/apidocs/org/apache/velocity/tools/generic/EscapeTool.html

like image 45
Alan Hay Avatar answered Sep 21 '22 00:09

Alan Hay