by Sebastian Hoogenberk on April 9, 2015
For security reasons you might want to disable the #parse and the #include directives in Apache Velocity altogether, e.g. when users should be allowed to modify templates. The way to do this is via an event handler named IncludeEventHandler.
To disable #include and #parse, you first have to implement the IncludeEventHandler interface, and then you have to register your class in the Velocity configuration.
The class:
public class IncludeEventHandler
implements org.apache.velocity.app.event.IncludeEventHandler {
@Override
public String includeEvent(final String s, final String s1,
final String s2) {
return null; // disable includes altogether
}
}
And the configuration:
Properties properties = new Properties();
properties.setProperty(VelocityEngine.EVENTHANDLER_INCLUDE,
IncludeEventHandler.class.getName());
Velocity.init(properties);
The property is actually named "eventhandler.include.class", but you can use the constant VelocityEngine.EVENTHANDLER_INCLUDE instead.
And this is it - now #parse and #include simply do nothing.