What are the secured template engines in Java?

Question

I'm looking for a template engine in Java that disallow code execution in template, only tags.

In a perfect world, I would be searching for an equivalent to Jinja2 (or the Django template engine). Based on Django, template tags will be used when created by me, but a user can't create a template tag (by executing code).

I would implement it in the Play! Framework.

Thanks for your help!

Answer 1

If you want to provide a simple way to modify they templates without much learning about hundreds of custom tags and achieve a clearly defined functionality to be accessed, while being free how to present it, you should think about passive templates. This ensures, no malicious code can be added:) A strong engine with passive templates in java is Snippetory. However if you want to control access, access control might be a good idea, too.

Answer 2

From your requirements, it looks as if all you required was a template engine that didn't allow anything similar to JSP's scriptlets (between <% and %>) and was only based in tags and/or attributes...

If so, I'd like to suggest you Thymeleaf http://www.thymeleaf.org (here a comparison with JSP), of which I'm the author. But if I'm not wrong these are requirements that could also be fulfilled by Velocity http://velocity.apache.org, so its up to yo to choose!

Answer 3

StringTemplate is what you are looking for.

Its distinguishing characteristic is that it strictly enforces model-view separation unlike other engines. Strict separation makes websites and code generators more flexible and maintainable; it also provides an excellent defense against malicious template authors