static Object executeSelectionVariableExpression( final IExpressionContext context, final SelectionVariableExpression expression, final IStandardVariableExpressionEvaluator expressionEvaluator, final StandardExpressionExecutionContext expContext) { if (logger.isTraceEnabled()) { logger.trace("[THYMELEAF][{}] Evaluating selection variable expression: \"{}\"", TemplateEngine.threadIndex(), expression.getStringRepresentation()); } final StandardExpressionExecutionContext evalExpContext = (expression.getConvertToString()? expContext.withTypeConversion() : expContext.withoutTypeConversion()); final Object result = expressionEvaluator.evaluate(context, expression, evalExpContext); if (!expContext.getForbidUnsafeExpressionResults()) { return result; } // We are only allowing results of type Number and Boolean, and cosidering the rest of data types "unsafe", // as they could be rendered into a non-trustable String. This is mainly useful for helping prevent code // injection in th:on* event handlers. if (result == null || result instanceof Number || result instanceof Boolean) { return result; } throw new TemplateProcessingException( "Only variable expressions returning numbers or booleans are allowed in this context, any other data" + "types are not trusted in the context of this expression, including Strings or any other " + "object that could be rendered as a text literal. A typical case is HTML attributes for event handlers (e.g. " + "\"onload\"), in which textual data from variables should better be output to \"data-*\" attributes and then " + "read from the event handler."); }
static Object executeSelectionVariable(final Configuration configuration, final IProcessingContext processingContext, final SelectionVariableExpression expression, final IStandardVariableExpressionEvaluator expressionEvaluator, final StandardExpressionExecutionContext expContext) { if (logger.isTraceEnabled()) { logger.trace("[THYMELEAF][{}] Evaluating selection variable expression: \"{}\"", TemplateEngine.threadIndex(), expression.getStringRepresentation()); } final String exp = expression.getExpression(); if (exp == null) { throw new TemplateProcessingException( "Variable expression is null, which is not allowed"); } final StandardExpressionExecutionContext evalExpContext = (expression.getConvertToString()? expContext.withTypeConversion() : expContext.withoutTypeConversion()); return expressionEvaluator.evaluate(configuration, processingContext, exp, evalExpContext, true); }