Change default Freemarker template file extension to .ftlh to enable HTML escaping #15131
Comments
spring-projects-issues
added
the
status: waiting-for-triage
bclozel
added
the
for: team-attention
|
Thanks for the report @jamesbarnett91 ! FreeMarker users should indeed apply those defaults for better security. Spring Boot auto-configures FreeMarker for Web and non-Web use cases (rendering email templates or text files, etc). As you've described here, changing the default for The team discussed this and we've decided to first tackle #15156 and then decide what we should do here. |
bclozel
added
type: enhancement
|
Thanks for the update @bclozel , I understand the need to maintain backwards compatibility. Perhaps the Spring Initializr could be updated to apply the Freemarker This could only be applied if the If this sounds sensible I can raise an issue on the Spring Initializr repo? |
|
@jamesbarnett91 this issue is not closed and we're going to address this, we just don't know how yet. I wouldn't update Spring Intializr as it must remain a convenience. |
|
Given the conclusion reached in #15156, we should make sure that Freemarker provides a safe configuration for web templates. In the case of Freemarker, the prefix/suffix data is only used in the view resolver, so changing This is a breaking change, but we've made similar changes in the past, see #8997. |
bclozel
changed the title
|
Thanks for the fix @bclozel 👍 |
- updated according to spring-projects/spring-boot#15131
|
This is a breaking change which leads to the infamous 'whitelabel error' and is quite confusing. There is not a single line about this in the docs: https://docs.spring.io/spring-boot/docs/2.2.2.RELEASE/reference/htmlsingle/#boot-features-spring-mvc-template-engines In my opinion, breaking changes should be only reserved for major updates and should have red notes in the docs. |
|
Thanks for the feedback and sorry for the inconvenience. We occasionally make breaking changes in minor releases when we believe that it will not make upgrading too difficult. We communicate those changes in the release notes rather than in the reference documentation. The latter is intended to describe how things are for a particular release whereas the former are intended to describe how things have changed since the previous release. |
|
Please add it to the spring boot 2.2 release notes as it also caught my group offguard i.e. why is nothing showing up.. https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.2-Release-Notes |
|
@duttonw It's covered in the release notes under the Freemarker templates configuration section. |
|
to make my templates work again i found https://freemarker.apache.org/docs/dgui_misc_autoescaping.html I removed strings there might be other things needing to be done, but this should be the gist of it if they are global wrapping their templates instead of piece meal escaping. |
This is primarily motivated by an upcoming dependency on HeaderResultMatchers::dateValue, which has a hard dependency on JUnit 4, fixed in v5.1.8 and v5.2.4 [1]. It was either reintroduce JUnit 4 until this inevitable upgrade, or upgrade now. We'll be in a better position for Spring Boot 2.3, at least. Other exciting changes include changing Freemarker view extensions from .ftl to .ftlh [2], trivial API churn, new Flyway, and new PostgreSQL JDBC driver. [1] spring-projects/spring-framework@233b225 [2] spring-projects/spring-boot#15131
This comment was marked as resolved.
This comment was marked as resolved.
Hi
When using the Spring Boot Freemarker Starter, content within the standard Freemarker interpolation blocks
${...}is not escaped by default.The Freemarker docs say:
I think most users would expect the Spring Boot Starter to do this 'proper configuration', since it does a lot of other sensible auto configuration, and I can't see why you would ever want to globally disable HTML escaping except in very rare circumstances.
Additionally, the recommended practice of using the
.ftlhfile extension to enable HTML auto-escaping does not work out-of-the-box with the Spring Boot starter as it seems to only be configured to scan for.ftlfiles.The safest way to enable escaping seems to be to set
spring.freemarker.settings.output_format=HTMLOutputFormatwithin theapplication.propertiesto force Freemarker to treat all templates as HTML regardless of their extension (so escaping will be done even if thehis forgotten on the file extension).Or alternatively the
spring.freemarker.suffixcan also be set to.ftlhalong with the enabling thespring.freemarker.settings.recognize_standard_file_extensionI would like to suggest that the default behaviour be changed to enable escaping by setting the Freemarker output format to HTML. However I appreciate the potential regression impact of making this change, so understand if this is not possible.
At the least, I would suggest that some mention of the need to do this configuration should be included in the documentation. Perhaps a list of recommended configuration options for each Templating engine or something?
Currently everything else about the default configuration is sensible and works well, so users are unlikely to examine any other configuration options, making it very easy to miss the need to configure the escaping and likely leading to XSS vulnerabilities.
For comparison, both the Thymeleaf and Mustache templating starters for Spring Boot escape html content by out-of-the-box when using the standard interpolation syntax.
Tested with
spring-boot-2.0.4.RELEASEandspring-boot-starter-freemarker:2.0.4.RELEASEThanks
The text was updated successfully, but these errors were encountered: