Thymeleaf 3.0.9 JUST PUBLISHED

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Thymeleaf 3.0.9 JUST PUBLISHED

danielfernandez
Administrator

Thymeleaf 3.0.9 (3.0.9.RELEASE) has been just published.

This is a maintenance release with some bugfixing and feature changes. It should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.

Also, note that this version includes a couple of security-related improvements, so upgrading is heavily recommended.


THYMELEAF 3.0.9 CHANGE LOG

Changes to the Thymeleaf CORE:

  • Fixed hit ratio in StandardCache not being correctly computed (always 1 or 0).
  • Improved restricted expression evaluation mode to restrict access to some request features (#request.getParameter(), #request.getParameterValues(), #request.getParameterMap(), #request.getQueryString()).
  • Added new scenarios for restricted expression evaluation: th:on*, th:attr, th:src, th:href, default attribute processor, fragment expressions, link expressions (only for URL bases), inlined output expressions in TEXT template mode.

Changes to the Thymeleaf SPRING integration packages:

  • [thymeleaf-spring5] Fixed bean validation mechanism trying to create BindStatus for unbound objects because of an improper use of a Spring 5 validation API.
  • [thymeleaf-spring5] Fixed RequestDataValueProcessor not being applied in Spring WebFlux applications.

If you are interested, you can have a look at the list of issues on GitHub:

And of course we invite you to visit the project website at http://www.thymeleaf.org


Explaining the changes in the restricted expression evaluation mode

Thanks to the fact that Thymeleaf actually understands the HTML that it processes (because it parses it), developers can benefit from the template engine helping them reduce the risks of code injection as much as possible. Thymeleaf does this by preventing the use of direct input from users in certain parts of the template. This direct input from users refers to request parameters, as these might not have passed a validation process at the controller.

Prior to this version, Thymeleaf forbade the use of request parameters (${param.*}) in preprocessing expressions and also in unescaped output (th:utext). In this new version, the number of scenarios in which request parameters are forbidden is increased (th:on* JavaScript event handlers, th:src, th:href, etc.) and also additional ways of accessing the request parameters are covered (like directly calling #request.getParameter('x')).


SPECIAL NOTES FOR THE Spring 5 WebFlux INTEGRATION

How does Thymeleaf operate in a reactive-friendly way for Spring 5 WebFlux?

Like previous versions, this new version of the Spring 5 integration module includes updated support for the new Spring 5 WebFlux reactive web framework. When used with WebFlux, Thymeleaf can operate in one of three reactive-friendly modes:

  • Full, producing all output in memory and sending it as a single output buffer.
  • Chunked, producing output in buffers (chunks) of a configurable maximum size and sending them to the client as they are produced.
  • Data-Driven, making Thymeleaf work as an integrated part of a reactive stream of data, rendering HTML for the produced data in a way fully sensible to reactive back-pressure, sending HTML chunks of output to the client as data is produced (and optionally shaping this HTML chunks into SSE events).

Read more about these reactive-friendly operation modes at the thymeleaf-spring5 JavaDocs.

Also, note that there are three sandbox applications prepared to serve as examples of the general thymeleaf-spring5 integration with Spring 5 WebFlux:

  • thymeleafsandbox-stsm-reactive, equivalent to the STSM sample application but using Spring 5, Spring Boot 2.0 and the new Spring WebFlux framework. This sandbox is mainly meant to test form binding.
  • thymeleafsandbox-biglist-reactive, using Spring 5, Spring Boot 2.0 and the new Spring WebFlux framework. This sandbox is meant to test the rendering of large amounts of data.
  • thymeleafsandbox-sse-webflux, using Spring 5, Spring Boot 2.0 and the new Spring WebFlux framework. This sandbox is meant to test the rendering of Server-Sent Events (SSE) directly in HTML (no need for JSON parsing at the browser).

Regards,
Daniel.