⚠️ Security Warning: RAW mode does NOT escape HTML.
Never use it with unsanitized user input — XSS risk!
RAW vs TEXT vs HTML – Escaping Comparison
| Mode |
HTML Escaping |
Markup Parsed |
Best For |
| HTML | ✅ Yes | ✅ Yes | Web pages |
| TEXT | ✅ Yes | ❌ No | Emails, reports, config |
| RAW | ❌ No | ❌ No | Pre-sanitized content, CMS |
| XML | ✅ Yes | ✅ Yes | API responses |
| JAVASCRIPT | JS escape | ❌ No | Dynamic scripts |
| CSS | CSS escape | ❌ No | Dynamic styles |
RAW engine configuration (ThymeleafConfig.java):
@Bean(name = "rawTemplateEngine")
public SpringTemplateEngine rawTemplateEngine() {
SpringTemplateEngine engine = new SpringTemplateEngine();
engine.addTemplateResolver(rawTemplateResolver());
return engine;
}
private ITemplateResolver rawTemplateResolver() {
ClassLoaderTemplateResolver resolver = new ClassLoaderTemplateResolver();
resolver.setPrefix("templates/raw/");
resolver.setSuffix(".raw");
resolver.setTemplateMode(TemplateMode.RAW); // ← key setting
resolver.setCharacterEncoding("UTF-8");
return resolver;
}