Fork me on GitHub

Template

  • Simple & Friendly
  • High-Performance
  • High-Quality

Example

This document is the main demonstration HTTL

more important aspects, can be used as entry reference.

Template Example

books.httl: (HTTL only six commands: # set, # if, # else, # for, # break, # macro, and does not increase)




	
	
	
	
			${book.title}
		
		
		
		
		
				No data available.
			
$ {book.title} $! {cover (book)} $ {price}
Without permission. Not logged on.

If you are using the Eclipse development, through the following settings, so that Eclipse using the HTML editor to open httl file:

Menus>Window>Preferences>General>ContentTypes>Text>HTML>Add>*. httl

Configuration Example

httl.properties:

import.packages + = com.xxx
template.directory =
message.basename = messages
input.encoding = UTF-8
output.encoding = UTF-8
reloadable = false
precompiled = false

The + = indicates additional configuration in the default configuration, multiple values ​​separated by commas.

Note that if you use the default values, you can unworthiness, default values, refer to: httl-default.properties

API Example

BooksServlet.java:

import httl. *;
import java.util. *;

Mapparameters = new HashMap();
parameters.put ("user", user);
parameters.put ("books", books);

Engine engine = Engine.getEngine();
Template template = engine.getTemplate ("/ books.httl");
template.render (parameters, response.getOutputStream());

Note: the default configuration, HTTL not rely on any party libraries, just JDK1.5 + can.

Note: The default JDK must be used to run, if only the JRE, configured as JavassistCompiler.

extended example

HTTL extended instruction is not allowed to keep the instruction set is minimized, preventing template semantic complexity, all extensions to extend it to achieve.

such as JSP custom tag:...

method used in HTTL extension implementation: # if (hasPrivilege ("foo")) ... # end

simply define static methods:

package com.xxx;

public class PrivilegeMethod {

	public static boolean hasPrivilege (String resource) {
		return Context.getContext(). get ("loginUserId")! = null;
	}

}

and configure: import.methods + = com.xxx.PrivilegeMethod

addition, HTTL supported formats with common object methods, call the static extension methods, such as: $ {date.format ("yyyy-MM-dd")}

actually call the following static method: (to be transferred object as the first argument, the following parameters as incoming)

public static String format (Date date, String format) {
	return new SimpleDateFormat (format). format (date);
}

inheritance example

you can put a macro overlay template inheritance, understood as Java classes inherit methods overridden.

layout.httl:


	
		 
Home
Users
Books
Building ...

which, # macro ($! crumbs) indicates the position in the macro definition output simultaneously, the equivalent of # macro (crumbs) plus $! {crumbs}.

books.httl:

$! {Extends ("/ layout.httl")}


	$! {Super.crumbs} >Books



	
$ {book.title}

which the macro with the same name override the parent template macro, the macro parameters can be different from the parent template macros.

not covered macro that will use the parent template macro output directly.

Note that the macro name before not to take $! character, otherwise it will output twice.

you inherit multiple templates, sub-commands in succession after the template itself can bring content.

crumbs macro inside the $! {super.crumbs} represents the output parent template crumbs macro.

You may also be based CoC (Convention over Configuration) rules, automatically inherit the template:

# automatically inherit the template name variables, if context.get (extends.variable) variable exists, then inherit the template.
# Note: This template is inherited from the template directory lookup, that is actually: template.directory + context.get (extends.variable)
extends.variable = layout

# If the default template exists, then inherit the default template.
# Note: The default template is inherited from the template directory lookup, that is actually: template.directory + extends.default
extends.default = default.httl

# Parent template reference sub-template name, such as in the parent template called: $ {nested}, the output sub-template content.
# Or parent template if there isMacros, the quilt template substitution.
extends.nested = nested

Security Samples

HTTL can be noted in the variable location, intelligent use different security filters, for example:











You can configure different httl.properties Filter achieved, and can be httl.spi.Switcher extension points, Increase the variable position and Filter Switch Mode: (The following is the default, no configuration)

value.switchers = httl.spi.switchers.ScriptValueFilterSwitcher, httl.spi.switchers.StyleValueFilterSwitcher
value.filters = httl.spi.filters.EscapeXmlFilter
script.value.filters = httl.spi.filters.EscapeStringFilter
style.value.filters = httl.spi.filters.EscapeStringFilter

HTTL default opens the HTML, JS, CSS filtering to prevent users forget to configure, which led to HTML injection attacks.

HTML injection attacks Example:

(1) property injection:

<input value="$!{foo}" />

If the value of the variable foo:
"Onload="alert ('HACK');
The first quotation mark in front of the value attribute will end in the middle of the onload attribute will become a legitimate, thereby executing the injected alert statements.

(2) Script Injection:

<script type="text/javascript">
var value="$! {foo}";
</script>

If the value of the variable foo:
"; Alert ('HACK') ;/ /
Quotes and semicolon in front of the end of the assignment will value, followed by a double slash after commenting counterparts statement to perform intermediate injection alert statements.

(3) Style Injection:

<style type="text/css">
. Div {
	font-family:"$! {foo}"
}
</style>

If the value of the variable foo:
"; Star: expression_r (onload = function() {alert ('HACK');});
Quotes and semicolon in front of font-family property will end, and thus perform injected through expression_r alert statements.

(4) Tags inject:

$! {foo}

If the value of the variable foo:
<script> alert ('HACK'); </script>
Variable contents directly as html operation, thereby execute the injected alert statements.

abnormal sample

HTTL exception information usually includes: the cause of error, error location, the solution, context information.

instance variable is not unusual statement:

java.text.ParseException: Undefined variable"user".
Please add variable type definition: your tempalte.
Occur to offset: 6, line: 2, column: 3, char: u, in:
/ WEB-INF/templates/user.httl
========================================
... $ {User.name} ...
	 ^-Here
========================================
, Stack: java.text.ParseException:
at httl.spi.translators.DfaParser.parse (DfaParser.java: 401)
at httl.spi.translators.DefaultTranslator.translate (DefaultTranslator.java: 109)
  • wrong reasons: Undefined variable"user"
  • error location: occur to offset: 6, line: 2, column: 3, char: u
  • Solution: Please add variable type definition
  • context :/ WEB-INF/templates/user.httl