You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
th:attr attribute processor that enables the creation of variables with arbitrary name to be used elsewhere in the template.
Template and fragment names in Fragment expressions: ~{...} or contents of th:insert, th:replace, th:include and th:substituteby
Fragment parameters in Fragment Expressions (~{...} or th:insert, th:replace, etc.) so that template fragments cannot be called with parameters which values come from direct user input (would be a scenario equivalent to that of th:attr).
Default attribute processor (see Default attribute support #297), which allows the rendering of any attribute with an arbitrary name (just in case it is a JS event or anything similar)
URL bases in Link Expressions (@{...}) (URL parameters will not be restricted)
th:src and th:href (except URL parameters inside Link Expressions as explained above)
Output expressions in TEXT template mode, even if escaped, any use in any position (safest due to the lack of knowledge on the use it's being given).
This restricted mode applies the following restrictions:
No access allowed to the request parameters: ${param.*} and also to any of:
${#request.getParameter(...)}
${#request.getParameterValues(...)}
${#request.getParameterMap()}
${#request.getQueryString()}
${#httpServletRequest.getParameter(...)}
${#httpServletRequest.getParameterValues(...)}
${#httpServletRequest.getParameterMap()}
${#httpServletRequest.getQueryString()}
In th:on* attribute processors which attribute is a Thymeleaf Standard Expression: no expression is allowed to have a result of types other than numeric or boolean.
Modifications to the restricted mode
The new restrictions to be applied would include, for all scenarios where it is applicable:
Creation of new objects (new ...)
Access to static code (@identifier@ in OGNL, T(identifier) in SpringEL)
Current status
Currently the restricted expression evaluation mode is applied in the following scenarios (see note below):
__...__th:utextand inlined unescaped expressions.th:on*attribute processors for JavaScript events which value is a Thymeleaf Standard Expression (see Enable processing of HTML event handler attributes in JAVASCRIPT template mode #707).th:attrattribute processor that enables the creation of variables with arbitrary name to be used elsewhere in the template.~{...}or contents ofth:insert,th:replace,th:includeandth:substituteby~{...}orth:insert,th:replace, etc.) so that template fragments cannot be called with parameters which values come from direct user input (would be a scenario equivalent to that ofth:attr).@{...}) (URL parameters will not be restricted)th:srcandth:href(except URL parameters inside Link Expressions as explained above)TEXTtemplate mode, even if escaped, any use in any position (safest due to the lack of knowledge on the use it's being given).This restricted mode applies the following restrictions:
${param.*}and also to any of:${#request.getParameter(...)}${#request.getParameterValues(...)}${#request.getParameterMap()}${#request.getQueryString()}${#httpServletRequest.getParameter(...)}${#httpServletRequest.getParameterValues(...)}${#httpServletRequest.getParameterMap()}${#httpServletRequest.getQueryString()}th:on*attribute processors which attribute is a Thymeleaf Standard Expression: no expression is allowed to have a result of types other than numeric or boolean.Modifications to the restricted mode
The new restrictions to be applied would include, for all scenarios where it is applicable:
new ...)@identifier@in OGNL,T(identifier)in SpringEL)