From dc3a73ee02ca183c509dedf703db28c80219c41c Mon Sep 17 00:00:00 2001
From: johnniang <johnniang@foxmail.com>
Date: Fri, 13 Dec 2019 01:25:18 +0800
Subject: [PATCH] Config freemarker with safer resolver

---
 .../java/run/halo/app/config/WebMvcAutoConfiguration.java     | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/java/run/halo/app/config/WebMvcAutoConfiguration.java b/src/main/java/run/halo/app/config/WebMvcAutoConfiguration.java
index 08b76bfb7..7035007b0 100644
--- a/src/main/java/run/halo/app/config/WebMvcAutoConfiguration.java
+++ b/src/main/java/run/halo/app/config/WebMvcAutoConfiguration.java
@@ -1,6 +1,7 @@
 package run.halo.app.config;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import freemarker.core.TemplateClassResolver;
 import freemarker.template.TemplateException;
 import freemarker.template.TemplateExceptionHandler;
 import lombok.extern.slf4j.Slf4j;
@@ -131,6 +132,9 @@ public class WebMvcAutoConfiguration implements WebMvcConfigurer {
 
         // Predefine configuration
         freemarker.template.Configuration configuration = configurer.createConfiguration();
+
+        configuration.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+
         if (haloProperties.isProductionEnv()) {
             configuration.setTemplateExceptionHandler(TemplateExceptionHandler.RETHROW_HANDLER);
         }