-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 3.0.12 has broken most of our templates due to #809 #816
Comments
Very much likewise - there seem to be a lot of thymeleaf examples using just this pattern and we've used it across our system. I'd even be happy with a new syntax for accessing enums (regex being your (sometimes sharp edged) friend :) |
It looks like this gets applied selectively though (for example a th:each works whereas a th:data-xxx doesn't). The only problematic instances I found in our code were "default" attributes (such as th:data-whatever or th:aria-labelledby). |
As the intent of the restricted expression evaluation mode is to:
IMHO restricting access to constants and enums doesn't make sense to achieve this goal, as they cannot be manipulated by user input. @danielfernandez as you are responsible for #809 I would like to know what the suggested replacement for accessing constants is? Would it be possible for Thymeleaf to determine that expressions reference constants and allow those?. |
Here too. Most of our template broke with |
- Spring Boot 2.4.0 -> 2.4.2 - Lombok 1.18.16 -> 1.18.18 - JUnit 5.7.0 -> 4.7.1 - JUnit 4.13.1 -> 4.13.2 - Mockito 3.6.28 -> 3.7.7 - Spring Security: 5.4.2 -> 5.4.4 - Hibernate: 5.4.25.Final -> 5.4.38.Final - Hibernate Validator: 6.1.6.Final -> 6.2.0.Final - Bootstrap: 4.5.3 -> 4.6.0 - PopperJS: 2.5.2 -> 2.5.4 Notes: - Thymeleaf version is explicitly downgraded to 3.0.11.RELEASE as there's issue in 3.0.12.RELEASE: thymeleaf/thymeleaf#816 - Application doesn't start with Hibernate Validator 7.0.1.Final - further investigation is needed
+1 Many of my templates are broken due to this "minor"?? update. It looks like a breaking change to me and should not have been embedded within a minor version update... |
I really wonder why there is no mention of the alternatives.
|
@danielfernandez can you comment on this issue? Seems to be a major problem for many people |
I had the same issue on my spring boot project(2.4.4), maybe 30+ templates affected, so spend few hours refactoring them into model attributes. |
Could you maybe give examples on which expressions have to be formatted in a new way? That would probably help the majority of us to get rid of the old syntax more easily. |
If you are working with Spring then another workaround to this is to define global model attributes using
|
Please note that, as explained in #809, execution of static code with
This indeed includes expressions like the one in the original post in this ticket: <a th:href="@{${T(com.test.controller.DashboardController).REQUEST_DASHBOARD}}"> This restriction was established for security reasons, and as part of the result of a vulnerability report. Link expressions are especially sensitive from a security standpoint, and both the creation of new objects (
Workaround There are several alternatives for Using So my recommendation would be to follow @venustulips example above and define @ModelAttribute("myData")
public String myData() {
return myData;
} Or for instance, if you want to replace a set of constants: @Component
public class ApplicationPaths {
private final static String MAIN = "/main";
private final static String ORDERS = "/orders";
public String getMain() {
return MAIN;
}
public String getOrders() {
return ORDERS;
}
...
}
@Controller
pubilc class SomeController {
@ModelAttribute("appPaths")
public String appPaths() {
return this.appPaths; // previously injected
}
...
} |
I absolutely understand the rationale behind the changes, and we're more than happy to adjust our code to access enums in a safer way, but I have to confess "Go add a getter to a model object for every enum you might ever want to use in a template" is not the answer for which I was hoping. It would be nice if thymeleaf could provide a recommended way of managing enum visibility - possibly even passing in a list of enums to make available in some form to the templates. |
IMHO it would be better to be able to add classes to an |
A version bump would have been nice. |
I complete understand the idea of preventing execution of arbitrary code, but in most of the cases myself and others have raised, we're talking about constants/enums. Could code be added to the detection routine to determine if the target of the T() expression is a constant and allow that? |
I can encourage you using this quickfix for your broken definitions. |
I feel like a much less breaking way would be to instead not execute expressions in string variables rather than to stop developers from explicitly calling an enum. This is really annoying |
An example at below link |
Unsubscribe
… On Oct 21, 2022, at 3:47 PM, DiagonAlley ***@***.***> wrote:
If you are working with Spring then another workaround to this is to define global model attributes using @ControllerAdvice. For eg,
@ControllerAdvice
public class GlobalModelAttribute {
@ModelAttribute("myEnum1List")
public String myEnum1List() {
return enumList;
}
@ModelAttribute("constantList")
public String constantList() {
return constantList;
}
@ModelAttribute("aConstant")
public String aConstant() {
return aConstant;
}
}
An example at below link
https://stackoverflow.com/questions/24937441/comparing-the-enum-constants-in-thymeleaf/34354605#34354605
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
|
This is my solution, it worked, no need to modify template.
|
So, I can't migrate my Spring Boot application, since my templates use static classes (enums) extensible. Migrating would take a long time and even them, some things might failed when deploying to production. And when using Spring Boot 3.X I can't even downgrade to Thymeleaf 3.0.11.RELEASE, because of the thymeleaf-Spring6 dependency. So, has anyone find a workaround that would allowed the calling of at least some static classes? That way there won't be a need to modify the templates.
Also, sadly this solution didn't work with my configuration. |
As mentioned in #829 there is currently no way to configure the allowance behavior. Last year I opened a PR (PR#960) to alleviate this but it has not gotten any traction as of now. |
Today i tested with Springboot 3.3.0, it still worked on my end. 1. First, it requires a Configuration.
Put the configuration FQN to src/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports. 2. The class of TemplateDialect.
3. Thymeleaf example.
|
Due to changes in #809 we have a lot of templates that are now broken.
For a lot of our templates we use static members in our Spring controllers for the request names. Hrefs within our templates look like the following:
<a th:href="@{${T(com.test.controller.DashboardController).REQUEST_DASHBOARD}}">
This now results in the following exception:
org.thymeleaf.exceptions.TemplateProcessingException: Instantiation of new objects and access to static classes is forbidden in this context
This pattern is used in 100's of templates in our code base. We obviously don't want to completely disable the restricted expression evaluation mode, but is there a way to turn off the restriction of just the static class access?
Thanks,
Scott
The text was updated successfully, but these errors were encountered: