Skip to content

Instantly share code, notes, and snippets.

@paulwellnerbou

paulwellnerbou/disable-parse-in-vm.md

Last active November 4, 2015 13:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save paulwellnerbou/b0e53e7a045e8e90a840 to your computer and use it in GitHub Desktop.
Save paulwellnerbou/b0e53e7a045e8e90a840 to your computer and use it in GitHub Desktop.
Download ZIP
This is Google's cache of http://www.repix.ch/blog/how-disable-include-parse-apache-velocity/. It is a snapshot of the page as it appeared on 10 Oct 2015 12:25:46 GMT.
Raw
disable-parse-in-vm.md

How to disable #include / #parse in Velocity

by Sebastian Hoogenberk on April 9, 2015

For security reasons you might want to disable the #parse and the #include directives in Apache Velocity altogether, e.g. when users should be allowed to modify templates. The way to do this is via an event handler named IncludeEventHandler.

To disable #include and #parse, you first have to implement the IncludeEventHandler interface, and then you have to register your class in the Velocity configuration.

The class:

public class IncludeEventHandler 
    implements org.apache.velocity.app.event.IncludeEventHandler {

    @Override
    public String includeEvent(final String s, final String s1, 
            final String s2) {
        return null; // disable includes altogether
    }
}

And the configuration:

Properties properties = new Properties();
properties.setProperty(VelocityEngine.EVENTHANDLER_INCLUDE, 
    IncludeEventHandler.class.getName());
Velocity.init(properties);

The property is actually named "eventhandler.include.class", but you can use the constant VelocityEngine.EVENTHANDLER_INCLUDE instead.

And this is it - now #parse and #include simply do nothing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment