- Graphwise Platform Documentation
- Graph Modeling
- Thesaurus
- PoolParty Linked Data Frontend Template Guide
PoolParty Linked Data Frontend Template Guide
09/12/2025
This guide details the file structure of PoolParty's Linked Data Frontend templates and announces a critical CSP update that disallows unsafe-inline styles and scripts, requiring developers to refactor all inline code, especially within Velocity Templates (.vm files), to external CSS/JS files.
The templates for the Linked Data Frontend reside in the frontendRoot directory that can be found here:
/opt/poolparty/data/frontendRoot
The basic structure of the templates in a PoolParty installation is as follows:
Default template delivered with a PoolParty installation
conf.vm- common settings. Here, common variables and configuration options are defined.vars.vm- variables used in all templates. Here you can find URI definitions shortcuts.foot.vm- footer of the template used in all page setupshead.vm- header of the template used in all page setupsmakros.vm- set of shared functions that are used in other templatesserver.vm- html view of the server pagelang
de.vm- German labelsen.vm- English labels
js
script.js- collection of JavaScript functions. E.g.showIndexformulates a SPARQL query to collect all concepts of a project, starting with the respective character.
project
html.vm- html view of the project
resource
html.vm- html view of a resource. Distinction between concepts and concept schemesvisual.vm- visual view of a resource (concept, concept scheme)concept.vm- view of a conceptconceptscheme.vm- view of a concept schememap.vm- covering available languages
Templates in the custom directory overwrite templates in the default directory. Different templates can be defined down to the project level.
To have a different template for a project you have to create a directory for the project in the custom directory named like the projectID of the project.
This only works if the projectID does not contain signs that are not allowed while creating Linux folder names.
For example a projectID like 'project/myThesaurus' would not work because of the '/'.
In brief,
custom/projectID/server.vmoverwritescustom/server.vm
and
custom/server.vmoverwritesdefault/server.vm
As you can see from the default structure you can have a template per
To improve application security against Cross-Site Scripting (XSS), the Content Security Policy (CSP) has been updated to disallow the unsafe-inline directive for both style-src and script-src. This change is effective as of PoolParty version 10.1.
All developers must refactor code to eliminate inline scripts and styles. This applies to all front-end assets, including JavaScript, CSS, and Velocity Templates (.vm files).
The CSP update may yield the following challenges:
Inline JavaScript: Any JavaScript code written directly in HTML (e.g.,
onclick,<script>tags with inline code) will no longer execute.Inline Styles: Any CSS styles written directly in HTML (such as style attributes) will no longer apply.
Third-party Resources: External scripts or styles not hosted on the same domain may require explicit whitelisting in the CSP.
Note
Google Tag Manager and Google Analytics are whitelisted. To enable it you have to place the Google Analytics initialization code inside a separate JavaScript file and reference the file in the
<head>tag inside thehead.vmfile.
Not Allowed | Allowed |
|---|---|
This element cannot be used because the CSP disallows the use of <button onclick="alert('Hello!')">Click Me</button> | Move the JavaScript to an external file or a <button id="myButton">Click Me</button><script src="path/to/external.js"></script> external.js: document.getElementById('myButton').addEventListener('click', function() { alert('Hello!');}); |
Similarly, inline style attributes like <div style="color: red;">This is red text</div> | Instead, move the styles to an external CSS file or a <div class="red-text">This is red text</div><link rel="stylesheet" href="path/to/styles.css"> styles.css: .red-text { color: red;} |
Passing a dynamic JavaScript variable by embedding it within a forbidden inline <script> var config = { key: "value" };</script> | Instead, use <div id="app-config" data-key="value"></div><script src="path/to/config.js"></script> config.js: const configElement = document.getElementById('app-config');const config = { key: configElement.getAttribute('data-key')}; |
Attempting to put whitelisted Google Analytics code in a <script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script> | Instead, externalize the initialization logic into a local file (for example, named <script type="text/javascript" src="#frontendLink('default/js/ga-setup.js')"></script> |
By adhering to the updated CSP, we significantly improve the security of the application. While this introduces some migration challenges, the examples provided should help you transition your code to be CSP-compliant. If you encounter any issues or require external resources to be whitelisted, please reach out to your Graphwise representative for assistance. For more information on the Content Security Policy, visit the Mozilla documentation.