Thymeleaf 3.0.9 (3.0.9.RELEASE) has been just published.
This is a maintenance release with some bugfixing and feature changes. It should work as a drop-in replacement for 3.0.x versions. Have a look at our Download Page to learn how to obtain it.
Also, note that this version includes a couple of security-related improvements, so upgrading is heavily recommended.
THYMELEAF 3.0.9 CHANGE LOG
Changes to the Thymeleaf CORE:
Fixed hit ratio in StandardCache not being correctly computed (always 1 or 0).
Improved restricted expression evaluation mode to restrict access to some request features (#request.getParameter(), #request.getParameterValues(), #request.getParameterMap(), #request.getQueryString()).
Added new scenarios for restricted expression evaluation: th:on*, th:attr, th:src, th:href, default attribute processor, fragment expressions, link expressions (only for URL bases), inlined output expressions in TEXT template mode.
Changes to the Thymeleaf SPRING integration packages:
[thymeleaf-spring5] Fixed bean validation mechanism trying to create BindStatus for unbound objects because of an improper use of a Spring 5 validation API.
[thymeleaf-spring5] Fixed RequestDataValueProcessor not being applied in Spring WebFlux applications.
If you are interested, you can have a look at the list of issues on GitHub:
Explaining the changes in the restricted expression evaluation mode
Thanks to the fact that Thymeleaf actually understands the HTML that it processes (because it parses it), developers can benefit from the template engine helping them reduce the risks of code injection as much as possible. Thymeleaf does this by preventing the use of direct input from users in certain parts of the template. This direct input from users refers to request parameters, as these might not have passed a validation process at the controller.
SPECIAL NOTES FOR THE Spring 5 WebFlux INTEGRATION
How does Thymeleaf operate in a reactive-friendly way for Spring 5 WebFlux?
Like previous versions, this new version of the Spring 5 integration module includes updated support for the new Spring 5 WebFlux reactive web framework. When used with WebFlux, Thymeleaf can operate in one of three reactive-friendly modes:
Full, producing all output in memory and sending it as a single output buffer.
Chunked, producing output in buffers (chunks) of a configurable maximum size and sending them to the client as they are produced.
Data-Driven, making Thymeleaf work as an integrated part of a reactive stream of data, rendering HTML for the produced data in a way fully sensible to reactive back-pressure, sending HTML chunks of output to the client as data is produced (and optionally shaping this HTML chunks into SSE events).
Also, note that there are three sandbox applications prepared to serve as examples of the general thymeleaf-spring5 integration with Spring 5 WebFlux:
thymeleafsandbox-stsm-reactive, equivalent to the STSM sample application but using Spring 5, Spring Boot 2.0 and the new Spring WebFlux framework. This sandbox is mainly meant to test form binding.
thymeleafsandbox-biglist-reactive, using Spring 5, Spring Boot 2.0 and the new Spring WebFlux framework. This sandbox is meant to test the rendering of large amounts of data.
thymeleafsandbox-sse-webflux, using Spring 5, Spring Boot 2.0 and the new Spring WebFlux framework. This sandbox is meant to test the rendering of Server-Sent Events (SSE) directly in HTML (no need for JSON parsing at the browser).
What's so wrong about the last release being from 8 months ago? :)
No, don't worry, Thymeleaf is not dead, and there is quite a lot of work already done for the upcoming 3.0.10, which is a difficult release because of some technical difficulties related to Spring Security 5 integration. And of course, contributions are always welcome. Please check our tickets with the "help wanted" label on GitHub, or send an email to the team with your ideas.