Support for Thymeleaf
Description
Environment
Activity
The CSP work being added to 5.1 was one of the more challenging bits to add to the Thymeleaf POC, but it does work to a point.
You can in fact call void methods and “assign” them to local variables, though it’s not obvious what that does, probably leaves them set to null. The syntax for building the expressions is pretty torturous but did work eventually.
The two major issues are:
One cannot build an expression to populate an inline event handler attribute like onClick or OnLoad because TL won’t allow it for “reasons”. The workaround loses some of the security protections of the CSP header because it relies on calling a fixed function defined in a script block and that’s nonced because hashing that is quite messy. So an attacker with access to the body can change the script freely and thus the behvaior of the event handler.
In my testing, putting the addHeader calls very late in the template worked to keep the logic localized, but that likely only worked by accident due to the template being small enough to fit into a buffer inside the server. Even Velocity probably doesn’t guarantee the ability to set headers at the top of a document but it has seemed to work. So probably we just need to move the logic up into the top of the templates.
We have POC work done on this, but the intended way forward is to accomodate new view tech via plugins. Once that’s settled, we’ll create a plugin project for that to track that work.
Details
Details
Parent task for the steps in adding support for Thymeleaf as an alternative to Velocity and tracking any open issues needing follow up.