root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Clarify the role of views with Spring MVC 

This commit adds a section to the reference docs that explains
views live within the trust boundary of the application, and the
security implications thereof.

Closes gh-24777
This commit is contained in:
Arjen Poutsma 2020-03-25 14:58:18 +01:00
parent c42a0eeb38
commit 9fb614a5c6
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/docs/asciidoc/web/webmvc-view.adoc
View File

@ -7,8 +7,11 @@ Thymeleaf, Groovy Markup Templates, JSPs, or other technologies, is primarily a
of a configuration change. This chapter covers view technologies integrated with
Spring MVC. We assume you are already familiar with <<mvc-viewresolver>>.
WARNING: The views of a Spring MVC application live within the internal trust boundaries of that
application.
Views have access to all the beans of your application context.
As such, it is not recommended to use Spring MVC's template support in applications where the
templates are editable by external sources, since this can have security implications.
[[mvc-view-thymeleaf]]
== Thymeleaf