[jira] [Updated] (OFBIZ-7675) Investigate if we should turn Freemarker autoescaping on

> Investigate if we should turn Freemarker autoescaping on
> --------------------------------------------------------
>
>                 Key: OFBIZ-7675
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-7675
>             Project: OFBiz
>          Issue Type: New Feature
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Priority: Minor
>             Fix For: Upcoming Branch
>
>
> At OFBIZ-7041 [~[hidden email]] suggested that we turn Freemarker autoescaping on. Quoting him there:
> {quote}
> This new version of FreeMarker includes auto-escaping and output formats. The <#escape> directive has been deprecated. Notice the comment at the very end of this page:
> "FreeMarker automatically escapes all values printed ... if it's properly configured (that's the responsibility of the programmers; [see here how|http://freemarker.org/docs/pgui_config_outputformatsautoesc.html])."
> Would be good to turn autoescaping on, and set the configuration to match .ftl as HTML and .fo.ftl as XML.
> {quote}
> [~pfm.smits] asked
> {quote}
> If we are going down that path I guess we have to visit a lot of Freemarker template files, right?
> {quote}
> Here is my answer
> {quote}
> We don' t use any <#escape> directives in all OFBiz. We have a couple of <#noescape> which should be replaced by <#noautoesc>. So I agree we could set the Freemarker environement to auto-escaping, and test if it has not unexpected side-effects.
> Could be that this will fix or complicate the issue I crossed (at bottom) of OFBIZ-7041 and more recently at OFBIZ-7343, let's see...
> {quote}
> Reply