⚠️ Security Warning: RAW mode does NOT escape HTML. Never use it with unsanitized user input — XSS risk!

Available Endpoints

RAW vs TEXT vs HTML – Escaping Comparison

Mode HTML Escaping Markup Parsed Best For
HTML✅ Yes✅ YesWeb pages
TEXT✅ Yes❌ NoEmails, reports, config
RAW❌ No❌ NoPre-sanitized content, CMS
XML✅ Yes✅ YesAPI responses
JAVASCRIPTJS escape❌ NoDynamic scripts
CSSCSS escape❌ NoDynamic styles

RAW engine configuration (ThymeleafConfig.java):


@Bean(name = "rawTemplateEngine")
public SpringTemplateEngine rawTemplateEngine() {
    SpringTemplateEngine engine = new SpringTemplateEngine();
    engine.addTemplateResolver(rawTemplateResolver());
    return engine;
}

private ITemplateResolver rawTemplateResolver() {
    ClassLoaderTemplateResolver resolver = new ClassLoaderTemplateResolver();
    resolver.setPrefix("templates/raw/");
    resolver.setSuffix(".raw");
    resolver.setTemplateMode(TemplateMode.RAW);   // ← key setting
    resolver.setCharacterEncoding("UTF-8");
    return resolver;
}