jte icon indicating copy to clipboard operation
jte copied to clipboard
verified publisher icon casid

Template calls in <script> blocks are not allowed

Open sysmat opened this issue 10 months ago • 9 comments

  • jte: 3.1.16
  • mvn: <contentType>Html</contentType>
  • mvn build error
Template calls in <script> blocks are not allowed.
  • This is to much opinionated, you must allow developers to decide

sysmat avatar Mar 15 '25 08:03 sysmat

What's your use case?

kelunik avatar Mar 23 '25 16:03 kelunik

From java I set some local storage, some javascript values,...

sysmat avatar Mar 23 '25 16:03 sysmat

Why do you put the Javascript into a different template? How does your code look like?

kelunik avatar Mar 25 '25 08:03 kelunik

because backend generate some staff for the user, I can't put code here on github

sysmat avatar Mar 25 '25 08:03 sysmat

I'm facing the exact same issue. A template engine shouldn't check this. I can understand, that this could be a security concern in certain scenarios, but it makes jte entirely useless in other scenarios. Is there any way to skip this test?

eztam- avatar Jul 26 '25 20:07 eztam-

If you share code examples, we can suggest alternatives that are safe and secure instead.

kelunik avatar Jul 27 '25 16:07 kelunik

Putting a template into a script tag is not necessarily insecure.

eztam- avatar Jul 28 '25 18:07 eztam-

Of course, but the likelihood is very high. If you don't share an example, we can't suggest alternatives.

kelunik avatar Jul 28 '25 18:07 kelunik

Just an idea: To pass values to JavaScript using JTE, you could use HTML data attributes. Set the data attribute values with JTE and access them with JavaScript as described in this MDN article. Would this fit your use case?

philipbolting avatar Aug 01 '25 11:08 philipbolting