Hi -
I couldn't find an answer to this in the list archives or with general web
search. I am trying to escape HTML when displaying user entered data for
typical usual reasons of not having my app open to CSS attack.
I have setup the EscapeHtmlReference code and it works fine, but the issue is
that using the layout servlet, it appears that html escaping tool either
escapes the entire $screen_content value or, by setting
eventhandler.escape.html.match to /^screen_content/, none of it. It appears
that the tool isn't aware (or doesn't have visibility into) of the pre merged
state of everything below $screen_content, and so merges everything and then
escapes everything in $screen_content.
Is there an HTML reference escaper that is aware of layouts and can properly
handle this situation (i.e., don't just escape $screen_content - escape
everything in the template content).
Thank you for any thoughts,
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@velocity.apache.org
For additional commands, e-mail: general-h...@velocity.apache.org
