Changdong Li

Hi ddekany, thanks for your detailed response. we already sanitized the templates and used a hardcoded FreeMarker version which has those advanced features removed. it doesn't allow executing external commands...

⁣you are right. The solution you mentioned is better than that pull request.  The data model content in our application is a hash map. Its keys are fixed strings. The...

BTW you can view the hardcoded version here https://github.com/ChangdongLi/freemarker/commit/99d7fa016d0d5677620b5d189727519175aaf153 Best Regards, Danny On Sun, 21 Jun 2020 at 00:27, Danny Li wrote: > you are right. > The solution you...

Thanks. In our application, the values are strings.I will try to harden the code as you suggested. BTW our penetration tester followed https://ackcent.com/blog/in-depth-freemarker-template-injection/ Maybe some features could be disabled by...