Spring Boot Freemarker - html escaping by default - spring

Is there any convenient way to enable html escaping by default for all freemarker templates when using spring boot autoconfiguration?
If not, what's proper way to add any of following solutions (keeping spring boot autoconfiguration defaults except of template loader)?
Default escaping in Freemarker
http://watchitlater.com/blog/2011/10/default-html-escape-using-freemarker/

After following ddekany's advice to use 2.3.24 here's solution:
Modify all template names to .ftlh (required by freemarker to automatically turn on HTML escaper) - including spring.ftl if it's being used. Updated spring.ftlh migh need some '?no_esc' additions for attributes
Adjust freemarker config to use those files:
spring.freemarker.suffix=.ftlh
spring.freemarker.settings.recognize_standard_file_extensions=true
Modify pom.xml to use freemarker 2.3.24:
<dependency>
<groupId>org.freemarker</groupId>
<artifactId>freemarker</artifactId>
<version>freemarker-2.3.24-pre01</version>
</dependency>
Following solution is to use local JAR file because 2.3.24 is not yet on maven:
mvn install:install-file -Dfile="freemarker-2.3.24-pre01.jar" -DgroupId="org.freemarker" -DartifactId="freemarker" -Dversion="freemarker-2.3.24-pre01" -Dpackaging=jar
Voila, automatic freemarker HTML escaping for Spring Boot ;)

FreeMarker 2.3.24 has auto-escaping as core feature, though when I write this it's not yet released. Until that (1-2 mongth I guess), 2.3.24-pre01 is downloadable from the homepage, or you can build the 2.3-gae branch head (though not much has changed if you are only using auto-escaping among the 2.3.24 features). Auto-escaping is currently described there: http://freemarker.incubator.apache.org/builds/2.3.24-pre01/_html/dgui_misc_autoescaping.html
If you can't use 2.3.24 in this form, as the first post you have linked describes, you can use a custom TemplateLoader. As templateLoader (template_loader) is just a FreeMarker configuration setting, hopefully it can be set in Spring too.

Related

springdoc-openapi-ui does not read provided yaml configuration

I'm trying to migrate app from autogenerating openapi from existing controllers and model to yaml specification(from which controller interfaces/models will be generated). YAML file is ready, bean OpenAPI providing some information is gone, I set springdoc.packages-to-scan= and tried to point to yaml file using:
springdoc.api-docs.path=/api.yaml and/or springdoc.swagger-ui.url=http://localhost:8080/ofs/api.yaml, but for some reason, while I get updated URL for 'source' yaml file, it is not the source file, it was somehow autogenerated. I see wrong servers, some default title etc.
sole maven dependency is:
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-ui</artifactId>
</dependency>
I didn't find any autoconfiguration. I think I see results of some "we will do magic for you" default configuration, but I cannot find anywhere (tutorials/documentation) how to force system to: "don't do anything, use this configuration".
Can someone advice / point me to documentation(specific section) or some tutorial? Or did I get it wrong and in this case I should not use springdoc-openapi-ui at all?

Disable Sonar rule using pom.xml?

I am using Spring Boot and Spring Jpa example and looking to disabled below Sonar rule through Maven mainly using pom.xml file. I don't have access or can't go and disable that rule in SonarQube as it's configured for the Org level.
Methods should not have too many parameters (squid:S00107)
I already went through web many times and did not find any promising solutions yet. This is what I look at : Configure Sonar to exclude files from Maven pom.xml too.
There seem to be a way of doing it but it may not be supported i.e.
<properties>
<sonar.issue.ignore.multicriteria>e1</sonar.issue.ignore.multicriteria>
<sonar.issue.ignore.multicriteria.e1.ruleKey>squid:S00107</sonar.issue.ignore.multicriteria.e1.ruleKey>
<sonar.issue.ignore.multicriteria.e1.resourceKey>**/*.java</sonar.issue.ignore.multicriteria.e1.resourceKey>
</properties>
Refer to : https://community.sonarsource.com/t/documentation-about-ignore-issues-seems-to-be-wrong-or-outdated/3353
but they do state :
We recommend users to use the UI to configure this, for best
experience. Consider the configuration via sonar-project.properties as
an undocumented hack, not official supported that may or may not work
reliably, use at your own risk.

difference between keeping a plugin inside a project and inside a profile

Can anyone please explain the functionality for below?
A) Actually below code is working for me, BUT I didnt understood why we need to use below for maven-war-plugin
<warSourceDirectory>src/main/webapp</warSourceDirectory>
<webXml>src/main/webapp/WEB-INF/web.xml</webXml>
B) whats the difference between keeping a plugin inside a project and inside a profile? ( say maven-surefire-plugin ) which way is better (assume I MUST use <profile> tag in my pom.xml)
Part A
warSourceDirectory is directory for static web files, jsp, images, WEB-INF etc. The default value is good, so you dont need to change this parameter.
webXml - is location of web.xml file, deployment description. With spring boot you dont need web.xml at all. Set parameter failOnMissingWebXml to false.
Part B
Plugin defined inside a project are used by this project always. Plugin defined in profile are used only when you enable profile - so this plugin is not default.

Does anybody use Jersey in embedded mode(not servlet env but standalone Grizzly instance) successfully with a template engine?

Velocity, Freemarker, Japid, Rythm, any other?
What i am looking for is a solution similar to what JSP provides in servlet environment. It should be a form of ViewProcessor implementation, but working on standalone embedded Grizzly deployment(NIO architecture).
Jersey has support for freemarker templates - see jersey-freemarker module on maven. It works with any container (i.e. is not depending on servlet). There is also freemarker sample in Jersey workspace that shows how to use it - see here.
I think all the template engines you listed could be used in an independent environment. Specifically for Rythm (coz I am the author of this stuff), it loads template files from different sources:
from the String content supplied:
String result = Rythm.render("hello #who", "world");
from a file found from the rythm.root setting:
String result = Rythm.render("helloWorld.html", "world");
from a file found from the class path if you have no rythm.root setup
It just doesn't depend on any servlet container, so you are free to use it as long as you have JRE. Be sure to set rythm.noFileWrite to true if you want to use it in GAE where no file write is allowed.
The Open Source Project
http://www.bitplan.com/index.php/SimpleRest
supplies a TemplateResource base class which will do most of the "heavy lifting" to make Jersey, Grizzly and the Rythm template engine work together nicely.

Using FreeMarker with Apache Sling

I'm using a Content Repository (Adobe CQ5) that has Apache Sling underneath. I'd like to render web pages using FreeMarker instead of JSP.
For that to work should I upload the OSGi Freemarker extension to Sling, which is to be found in the contribution part of Sling source code, or should I upload an OSGi version of Freemarker instead? Both jars implement the interface javax.script.ScriptEngineFactory so I don't know which one to use, or to upload both.
I managed to get Freemarker working on CQ5.3 by doing the following:
get the source from svn checkout http://svn.apache.org/repos/asf/sling/trunk sling
go to the contrib/scripting/freemarker and remove all the logging and slf4j references from FreemarkerScriptEngine.java - it throws a 500 error due to NoClassDefFoundException - I think there is a conflict between CQ5 and a version of slf4j included in Freemarker (I didn't dig to find out what was wrong)
build it and install, it should appear in the Sling console under bundles and in the 'script engines' page, and let you use .ftl scripts now.
I did it slightly differently by creating the bundle inside CQ5, importing the code and adding a stock freemarker.jar into the bundle but this should work too as it's basically the same thing.
The problem I had was that the script engine does get listed but the logging prevents it from running, that's why you need to remove the log & slf4j from the engine.
I don't know about the OSGi version of Freemarker; we created our own bundling of Freemarker specially for Sling. If you have success using the OSGi version of Freemarker let us know ;-)
Testing is easy: Just install the bundle through the Web Console and check for the supported Script Engines in the Web Console Configuration Status. If you see the Freemarker Engine listed there, it should work.

Resources