public StandardExpressionExecutionContext withTypeConversion() { if (getPerformTypeConversion()) { return this; } if (this == NORMAL) { return NORMAL_WITH_TYPE_CONVERSION; } if (this == RESTRICTED) { return RESTRICTED_WITH_TYPE_CONVERSION; } if (this == RESTRICTED_FORBID_UNSAFE_EXP_RESULTS) { return RESTRICTED_FORBID_UNSAFE_EXP_RESULTS_WITH_TYPE_CONVERSION; } return new StandardExpressionExecutionContext(getRestrictVariableAccess(), getForbidUnsafeExpressionResults(), true); }
static Object executeVariableExpression( final IExpressionContext context, final VariableExpression expression, final IStandardVariableExpressionEvaluator expressionEvaluator, final StandardExpressionExecutionContext expContext) { if (logger.isTraceEnabled()) { logger.trace("[THYMELEAF][{}] Evaluating variable expression: \"{}\"", TemplateEngine.threadIndex(), expression.getStringRepresentation()); } final StandardExpressionExecutionContext evalExpContext = (expression.getConvertToString()? expContext.withTypeConversion() : expContext.withoutTypeConversion()); final Object result = expressionEvaluator.evaluate(context, expression, evalExpContext); if (!expContext.getForbidUnsafeExpressionResults()) { return result; } // We are only allowing results of type Number and Boolean, and cosidering the rest of data types "unsafe", // as they could be rendered into a non-trustable String. This is mainly useful for helping prevent code // injection in th:on* event handlers. if (result == null || result instanceof Number || result instanceof Boolean) { return result; } throw new TemplateProcessingException( "Only variable expressions returning numbers or booleans are allowed in this context, any other data" + "types are not trusted in the context of this expression, including Strings or any other " + "object that could be rendered as a text literal. A typical case is HTML attributes for event handlers (e.g. " + "\"onload\"), in which textual data from variables should better be output to \"data-*\" attributes and then " + "read from the event handler."); }
contextVariablesMap = new OGNLExpressionObjectsWrapper(expressionObjects, expContext.getRestrictVariableAccess()); if (expContext.getRestrictVariableAccess()) { contextVariablesMap.put(OGNLContextPropertyAccessor.RESTRICT_REQUEST_PARAMETERS, OGNLContextPropertyAccessor.RESTRICT_REQUEST_PARAMETERS); } else { if (expContext.getRestrictVariableAccess()) { contextVariablesMap = CONTEXT_VARIABLES_MAP_NOEXPOBJECTS_RESTRICTIONS; } else { if (!expContext.getPerformTypeConversion()) { return result;
if (!expContext.getPerformTypeConversion()) { return result;
static Object executeVariable( final Configuration configuration, final IProcessingContext processingContext, final VariableExpression expression, final IStandardVariableExpressionEvaluator expressionEvaluator, final StandardExpressionExecutionContext expContext) { if (logger.isTraceEnabled()) { logger.trace("[THYMELEAF][{}] Evaluating variable expression: \"{}\"", TemplateEngine.threadIndex(), expression.getStringRepresentation()); } final String exp = expression.getExpression(); if (exp == null) { throw new TemplateProcessingException( "Variable expression is null, which is not allowed"); } final StandardExpressionExecutionContext evalExpContext = (expression.getConvertToString()? expContext.withTypeConversion() : expContext.withoutTypeConversion()); return expressionEvaluator.evaluate(configuration, processingContext, exp, evalExpContext, false); }
protected void setVariableRestrictions(final StandardExpressionExecutionContext expContext, final Object evaluationRoot, final Map<String,Object> contextVariables) { final List<IContextVariableRestriction> restrictions = (expContext.getForbidRequestParameters()? StandardVariableRestrictions.REQUEST_PARAMETERS_FORBIDDEN : null); final Object context = contextVariables.get(ExpressionEvaluatorObjects.CONTEXT_VARIABLE_NAME); if (context != null && context instanceof IContext) { final VariablesMap<?,?> variablesMap = ((IContext)context).getVariables(); variablesMap.setRestrictions(restrictions); } if (evaluationRoot != null && evaluationRoot instanceof VariablesMap<?,?>) { ((VariablesMap<?,?>)evaluationRoot).setRestrictions(restrictions); } }
if (expContext.getPerformTypeConversion()) { thymeleafEvaluationContext.setVariableAccessRestricted(expContext.getRestrictVariableAccess()); if (!expContext.getPerformTypeConversion()) { return exp.expression.getValue(thymeleafEvaluationContext, evaluationRoot);
if (!expContext.getPerformTypeConversion()) { return result;
static Object executeSelectionVariable(final Configuration configuration, final IProcessingContext processingContext, final SelectionVariableExpression expression, final IStandardVariableExpressionEvaluator expressionEvaluator, final StandardExpressionExecutionContext expContext) { if (logger.isTraceEnabled()) { logger.trace("[THYMELEAF][{}] Evaluating selection variable expression: \"{}\"", TemplateEngine.threadIndex(), expression.getStringRepresentation()); } final String exp = expression.getExpression(); if (exp == null) { throw new TemplateProcessingException( "Variable expression is null, which is not allowed"); } final StandardExpressionExecutionContext evalExpContext = (expression.getConvertToString()? expContext.withTypeConversion() : expContext.withoutTypeConversion()); return expressionEvaluator.evaluate(configuration, processingContext, exp, evalExpContext, true); }
if (expContext.getPerformTypeConversion()) { thymeleafEvaluationContext.setVariableAccessRestricted(expContext.getRestrictVariableAccess()); if (!expContext.getPerformTypeConversion()) { return exp.expression.getValue(thymeleafEvaluationContext, evaluationRoot);
public StandardExpressionExecutionContext withoutTypeConversion() { if (!getPerformTypeConversion()) { return this; } if (this == NORMAL_WITH_TYPE_CONVERSION) { return NORMAL; } if (this == RESTRICTED_WITH_TYPE_CONVERSION) { return RESTRICTED; } if (this == RESTRICTED_FORBID_UNSAFE_EXP_RESULTS_WITH_TYPE_CONVERSION) { return RESTRICTED_FORBID_UNSAFE_EXP_RESULTS; } return new StandardExpressionExecutionContext(getRestrictVariableAccess(), getForbidUnsafeExpressionResults(), false); }
static Object executeSelectionVariableExpression( final IExpressionContext context, final SelectionVariableExpression expression, final IStandardVariableExpressionEvaluator expressionEvaluator, final StandardExpressionExecutionContext expContext) { if (logger.isTraceEnabled()) { logger.trace("[THYMELEAF][{}] Evaluating selection variable expression: \"{}\"", TemplateEngine.threadIndex(), expression.getStringRepresentation()); } final StandardExpressionExecutionContext evalExpContext = (expression.getConvertToString()? expContext.withTypeConversion() : expContext.withoutTypeConversion()); final Object result = expressionEvaluator.evaluate(context, expression, evalExpContext); if (!expContext.getForbidUnsafeExpressionResults()) { return result; } // We are only allowing results of type Number and Boolean, and cosidering the rest of data types "unsafe", // as they could be rendered into a non-trustable String. This is mainly useful for helping prevent code // injection in th:on* event handlers. if (result == null || result instanceof Number || result instanceof Boolean) { return result; } throw new TemplateProcessingException( "Only variable expressions returning numbers or booleans are allowed in this context, any other data" + "types are not trusted in the context of this expression, including Strings or any other " + "object that could be rendered as a text literal. A typical case is HTML attributes for event handlers (e.g. " + "\"onload\"), in which textual data from variables should better be output to \"data-*\" attributes and then " + "read from the event handler."); }
if (expContext.getPerformTypeConversion()) { thymeleafEvaluationContext.setVariableAccessRestricted(expContext.getRestrictVariableAccess()); if (!expContext.getPerformTypeConversion()) { return exp.expression.getValue(thymeleafEvaluationContext, evaluationRoot);
if (expContext.getPerformTypeConversion()) { thymeleafEvaluationContext.setVariableAccessRestricted(expContext.getRestrictVariableAccess()); if (!expContext.getPerformTypeConversion()) { return exp.expression.getValue(thymeleafEvaluationContext, evaluationRoot);
if (expContext.getPerformTypeConversion()) { thymeleafEvaluationContext.setVariableAccessRestricted(expContext.getRestrictVariableAccess()); if (!expContext.getPerformTypeConversion()) { return exp.expression.getValue(thymeleafEvaluationContext, evaluationRoot);