2.3.31

Release date: 2021-02-09 + release process

Changes on the FTL side

  • Added ?eval_json to evaluate JSON given as flat string. This was added as ?eval is routinely misused for the same purpose, which not only doesn't work for all JSON-s, but can be a security problem. See more here...

  • Added new special variable, time_zone (referred like .time_zone, like all special variables), to retrieve the current value of the time_zone setting as a string.

  • Allowed escaping # with backlash in identifier names (not in string), as it used to occur in database column names. Like if you have a column name like #users, you can refer to it as row.\#users. (Alternatively, row['#users'] always worked, but is often less convenient.)

  • FREEMARKER-169: Fixed bug that made ?c and "computer" number format inconsistent. If incomplatible_improvements is set to 2.3.31 (or higher), when you set the number_format setting to computer (or you call Environment.getCNumberFormat()), the format now matches the behavior of ?c, when formatting infinite (positive and negative), and NaN. Matching the behavior of ?c was always the intent, but before this incompatible improvement, the computer format always behaved like ?c before incompatible improvements 2.3.21, where instead of "INF", and "NaN", the results used Unicode characters U+221E, and U+FFFD.

  • Fixed bug where .globals weren't seen as namesapce, so something like <#assign name = value in .globals> failed (although you should use <#global name = value> instead anyway).

Changes on the Java side

  • More helpful parser error messages for nesting problems (caused by missed or malformed end-tags usually).

  • Added DOMNodeSupport and JythonSupport boolean properties to DefaultObjectWrapper. This allows disabling the special wrapping of DOM nodes and Jython classes. This might be desirable for security reasons.

  • FREEMARKER-145: Fixed bug where methods with "overloaded" return type may become inaccessible on Java 9+, if some overriding subclasses are not public. (This is because java.beans.Introspector behavior has changed with Java 9.)

  • FREEMARKER-133: Fixed bug where FreeMarker sometimes tries to expose public methods that are defined or overridden in a non-public class, if the non-public class was then extended by a public class. Calling such method just ends up with IllegalAccessException, but they shouldn't be exposed on the first place. Furthermore, such a wrong method sometimes replaces the good version of the method, which would be callable. When this glitch happens is somewhat unpredictable, as it also depends on what methods java.beans.Introspector exposes (which at very least can depend on the Java version), and in what order.

  • Fixed bug where OSGi Bundle-RequiredExecutionEnvironment in META-INF/MANIFEST.FM has incorrectly contained JavaSE-1.6, J2SE-1.5

  • FREEMARKER-159: Set Automatic-Module-Name to freemarker in META-INF/MANIFEST.FM. In most cases this was the deduced Java 9 module name earlier, but that was fragile, as Java has deduced it from the jar file name.

  • FREEMARKER-165: Fixed bug where where if the namespace expression in a block assignment (like <#assign x in someNamespace>...</#assign>) refers to a missing variable, or has the wrong type, FreeMarker has thrown NullPointerException or ClassCastException, instead of InvalidReferenceException and NonNamespaceException with proper helpful message.