Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Enable auto escaping of strings in Freemarker templates #2251
Output was not being auto escaped by Freemarker
Freemarker output format was not set [as HTML] which meant that auto escaping was not enabled. With this change it is enabled by default.
This might affect users who are using formats other than HTML, but
Users relying on the existing behaviour may need to set individual
I couldn't find security contact information - is that something you are planning on adding?
Thank you for the pull request! We've made some progress in this area in 1.3.* : with #2213 you can use
Unfortunately, we don't have a security policy like Rails, Django, or Spring and don't provide a email address for secure communications. I guess Dropwizard isn't big enough for that, but having a security policy is definitely is a good practice for a mature project. For the time being, I think the best way to disclose security issues is to post a request to disclose to the dropwizard-dev mailing list and/or contact on of the maintainers privately.
Jan 22, 2018
added a commit
this pull request
Jan 22, 2018
If there's the need for it, we could probably create a "write-only" Google Group which only the maintainers can read.