Fork me on GitHub

Implicit functions & variables

Security and templating

Ninja is HTML escaping all variables that you render by default. If you don’t want to do that you can use “no_esc”:



i18n and the view

You can access all messages by using a simple method inside your templates.

Lets say your looks like:

casinoRegistrationTitle=My funky title

You can then access the variable inside your view like that.


Flash content in the view

The flash scope of the application is important. It helps to maintain a little bit of state between requests even on a RESTful architecture.

Rendering the flash error and success messages is straight forward.

Please note that all variables of the flash scope are prefixed with “flash.”.

A simple demo of that

<#if (flash.error)??>
        <p class="error">${flash.error}</p>

<#if (flash.success)??>
        <p class="success">${flash.success}</p>

This simply checks if a flash error or success is there and prints the message out. The message itself is being translated.

Implicit variables available in templates

  • ${session.*} You can access all session-cookie values by their keys prefixed with the accessor “session.”. E.g.: If you had set a cookie with the key “username”, then you can use ${session.username} to resolve the username and display it.
  • ${flash.success} Translated (if possible) flash success message (via success(“value”)).
  • ${flash.error} Translated (if possible) flash error message (via error(“value”)).
  • ${flash.*} Translated (if possible) flash message with arbitrary key (via put(“key”, “value”)).
  • ${lang} resolves to the language Ninja uses currently.
  • ${contextPath} resolves the context path of the application (empty if running on root)

Implicit functions available in templates


Reverse route allows you to calculate a reverse route inside your templates. For instance via ${reverseRoute(“controllers.ApplicationController”, “userDashboard”, “email”, email, “id”, id)}.

First parameter is the controller name, second parameter the method name. All other parameters are optional and used to replace variable parts inside the route with appropriate values.

In the example above the user rendered the variable parts with Results.html().render(“id”, 1000).render(“email”, “[email protected]”) .

For a route like router.GET().route(“/user/{id}/{email}/userDashboard”).with(ApplicationController.class, “userDashboard”); the result is: /me/user/1000/[email protected]/userDashboard.


assetsAt is a shortcut to get a reverse route for an asset of your assets directory. ${assetsAt(“css/custom.css”)} would render the location of custom.css. The corresponding route could be router.GET().route(“/assets/{fileName: .*}”).with(AssetsController.class, “serveStatic”);.

This would then result in the following output: /assets/css/custom.css.


webJarsAt allows you to render webjar contents (see Static assets for more information about WebJars. For instance ${webJarsAt(“bootstrap/3.3.4/css/bootstrap.min.css”)} would render a css file from a webJars jar. The corresponding route could be router.GET().route(“/assets/webjars/{fileName: .*}”).with(AssetsController.class, “serveWebJars”);.

This would then result in the following output: /assets/webjars/bootstrap/3.3.4/css/bootstrap.min.css or // ; depending on your application.webjars.prefer_cdn configuration property. You can always pass true as a second argument of webJarsAt to force usage of a local webjar content.


i18n allows you to render translated strings. For instance ${i18n("myi18nKey")} allows you to render the value for myi18nKey in the correct language for your user. Please refer to chapter “internationalization” for more information.


prettyTime allows you to format localized relative dates. ${prettyTime(myDate)}

For instance, if you had a date object that represented yesterday, prettyTime would format that as 1 day ago in the preferred Locale of the request.


authenticity allows you to retrieve an authenticity token for protection against CSRF-requests. You can either get a prefilled hidden input field or simply the token itself.

To get the prefilled hidden input field, use the following code <@authenticityForm/>

To get the token, use the following code <@authenticityToken/>

If you use either the form or the token you might want to check the token in your controller. Ninja offers a filter for checking the correctness of the token. Just add the following filter to your controller class or method. FilterWith(AuthenticityFilter.class)

If the token is invalid the user will see a 403 Forbidden error page.