Thymeleaf 2.1.6 JUST PUBLISHED

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Thymeleaf 2.1.6 JUST PUBLISHED


Thymeleaf 2.1.6 has been just published.

This is a maintenance version for the old 2.1.x branch, and should work as a drop-in replacement for 2.1.x versions.
Also, note that this version is focused on a couple of security-related improvements, so upgrading is heavily recommended.

Remember however that Thymeleaf 3.0 is the currently recommended major version.

Change log:

  • Improve restricted expression evaluation mode to restrict access to some request features (#request.getParameter(), #request.getParameterValues(), #request.getParameterMap(), #request.getQueryString()).
  • Add new scenarios for restricted expression evaluation: th:on*, th:attr, th:src, th:href, th:include, th:replace, th:substituteby, link expressions (only for URL bases).

Explaining the changes in the restricted expression evaluation mode

Thanks to the fact that Thymeleaf actually understands the HTML that it processes (because it parses it), developers can benefit from the template engine helping them reduce the risks of code injection as much as possible. Thymeleaf does this by preventing the use of direct input from users in certain parts of the template. This direct input from users refers to request parameters, as these might not have passed a validation process at the controller.

Prior to this version, Thymeleaf forbade the use of request parameters (${param.*}) in preprocessing expressions and also in unescaped output (th:utext). In this new version, the number of scenarios in which request parameters are forbidden is increased (th:on* JavaScript event handlers, th:src, th:href, etc.) and also additional ways of accessing the request parameters are covered (like directly calling #request.getParameter('x')).

For more detail, have a look at the list of issues at GitHub for version 2.1.6.

And of course visit the project website at