Hmm. That's odd that nothing gets escaped in the screen when you set "eventhandler.escape.html.match to /^screen_content/". I'll have to try this out myself, as i'm fairly sure that should have done the trick.
2009/1/29 dcree...@yahoo.com <dcree...@yahoo.com>: > Hi - > > I couldn't find an answer to this in the list archives or with general web > search. I am trying to escape HTML when displaying user entered data for > typical usual reasons of not having my app open to CSS attack. > > I have setup the EscapeHtmlReference code and it works fine, but the issue is > that using the layout servlet, it appears that html escaping tool either > escapes the entire $screen_content value or, by setting > eventhandler.escape.html.match to /^screen_content/, none of it. It appears > that the tool isn't aware (or doesn't have visibility into) of the pre merged > state of everything below $screen_content, and so merges everything and then > escapes everything in $screen_content. > > Is there an HTML reference escaper that is aware of layouts and can properly > handle this situation (i.e., don't just escape $screen_content - escape > everything in the template content). > > Thank you for any thoughts, > > Dave > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@velocity.apache.org > For additional commands, e-mail: general-h...@velocity.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@velocity.apache.org For additional commands, e-mail: general-h...@velocity.apache.org
