The Apache Velocity Project

The Apache Velocity Project
apache
velocity
General
Welcome
News
Downloads
Releases
Engine 2.4.1
Tools 3.1
Development
Engine
Tools
Community
Who we are
Get involved
Wiki
How it works
Board Reports
Developer Resources
Issues
Coding standards
Project guidelines
Site building
Release process
Archive
Anakia 1.0
Texen 1.0
DVSL 1.0
DocBook Fx 1.0
Apache Foundation
Apache Website
How the ASF work
ASF Developer Infos
ASF Source Code
Repository
Sponsorship
Thanks
What is Velocity?
Velocity is a Java-based template engine. It permits anyone to use a simple yet powerful template language to reference objects defined in Java code.
When Velocity is used for web development, Web designers can work in parallel with Java programmers to develop web sites according to the Model-View-Controller (MVC) model, meaning that web page designers can focus solely on creating a site that looks good, and programmers can focus solely on writing top-notch code. Velocity separates Java code from the web pages, making the web site more maintainable over its lifespan and providing a viable alternative to
Java Server Pages
(JSPs) or
PHP
Velocity's capabilities reach well beyond the realm of the web; for example, it can be used to generate SQL, PostScript and XML from templates. It can be used either as a standalone utility for generating source code and reports, or as an integrated component of other systems. For instance, Velocity provides template services for
various web frameworks
, enabling them with a view engine facilitating development of web applications according to a true MVC model.
The Apache Velocity Project
Velocity is a project of the
Apache Software Foundation
, charged with the creation and maintenance of open-source software related to the
Apache Velocity Engine
. All software created at the Velocity project is available under the
Apache Software License
and free of charge for the public.
Recent News
2024-10-14 - Velocity Engine 2.4.1 released
2024-09-07 - Velocity Engine 2.4 released
2021-03-09 - Security Advisory for Velocity Engine - Velocity Sandbox Bypass - CVE-2020-13936
See all news...
Apache Software Foundation
The Apache Software Foundation provides support for the Apache community of open-source software projects. The
Apache projects
are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field.
Apache Velocity Projects
Apache Velocity offers the following projects:
Velocity Engine
‐ This is the actual templating engine which does all the work. If you came here because you heard about Velocity somewhere on the web, this is probably the right place to start.
Velocity Tools
‐ This project contains tools and other useful infrastructure to build web and non-web application using the Velocity engine. You will find e.g. code for
Struts
integration or the standalone VelocityViewServlet here.
Release Status
Project
Release Version
Alpha/Beta/RC Release Version
Velocity Engine
2.4.1
(currently none available)
Velocity Tools
3.1
(currently none available)
The release distribution is available as a combined source/binary distribution in tar.gz and zip formats, and can be downloaded from
our download page
Security Model
Templates Loading
Velocity Engine and Velocity Tools rely on the template loaders defined in the
velocity.properties
configuration file and/or properties defined in the webapp descriptor or web container configuration. If those configurations are compromised, Velocity cannot ensure that templates do not come from a malicious source. This is
NOT
a Velocity vulnerability. If the attacker is already in control of the web application configuration files, they already have far more powerful attack vectors than template injection.
Velocity Context
Velocity Engine provides a SecureUberspector helper class which helps ensure that the Velocity context does not contain any dangerous class in a user-facing template editing scenario. But this class and its configuration are just provided as
a starting point
: Velocity cannot know in advance how the Velocity context is populated and cannot possibly ban all potentially dangerous classes. It is the responsibility of the application authors to audit every object placed in the context to ensure that no dangerous class is accessible to template authors.
More Information
For more information about the Apache Velocity Project, see
How the Apache Velocity project works
Who are the people behind the Apache Velocity project
Find out how to get involved with the Apache Velocity project
Contact the Apache Velocity project
For more information about the Apache Software Foundation, see
Foundation Home Page
Apache License and Distribution FAQ
Copyright © 2020 The Apache Software Foundation, Licensed under the
Apache License, Version 2.0
Apache and the Apache feather logo are trademarks of The Apache Software Foundation.