Hi - I couldn't find an answer to this in the list archives or with general web search. I am trying to escape HTML when displaying user entered data for typical usual reasons of not having my app open to CSS attack.
I have setup the EscapeHtmlReference code and it works fine, but the issue is that using the layout servlet, it appears that html escaping tool either escapes the entire $screen_content value or, by setting eventhandler.escape.html.match to /^screen_content/, none of it. It appears that the tool isn't aware (or doesn't have visibility into) of the pre merged state of everything below $screen_content, and so merges everything and then escapes everything in $screen_content. Is there an HTML reference escaper that is aware of layouts and can properly handle this situation (i.e., don't just escape $screen_content - escape everything in the template content). Thank you for any thoughts, Dave --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@velocity.apache.org For additional commands, e-mail: general-h...@velocity.apache.org