Forum Discussion

peterlu's avatar
peterlu
Champion
5 years ago

html entity decode

Hi,   We all know that freemarker can encode special html characters( &, quotes, < > and more), eg. & => &amp; But I need to way to decode it. eg. &amp;  => & I have looked around. It looks lik...
  • AndrewF's avatar
    5 years ago

    Hi Peter, you are correct that FreeMarker did not implement HTML processing like decoding. This was deliberate: FreeMarker's primary use case is to output HTML, so to prevent common security vulnerabilities they designed it so that you work with raw data, and escaping for HTML is the final step before outputting. We're stretching FreeMarker past its design goals, doing much more complex things like API calls and data transformation -- so we did add a utility:

    utils.html.unescaper.unescape(...).

    The usual caveats apply:

    • FreeMarker is not a programming language; it is primarily designed for displaying data and is not great at converting or building data. If the message body is being sent somewhere else, it may be a better idea to implement all the HTML post-processing in that environment. This would also make it easier to tweak the algorithm, and it might make user requests faster by offloading some work from the community.
    • Unescaping should only be done on one continuous block of HTML text, with no HTML elements present. That is, all elements must be removed.
    • Even if you strip all HTML, the unescape may result in HTML (because the original escaped text may look like HTML). Once unescaped, make sure it is never accidentally placed directly in an HTML context without proper escaping.