Ok, i tried this, and it turns out that /^screen_content/ matches the $screen_content reference specifically. In Perl regex (which is used here via the Jakarta Oro lib), ^ denotes the start of a line unless it is used in a class definition like [^a-z], in which case it negates the class.
http://www.rexswain.com/perl5.html#regular I'm actually not sure how to write an expression that matches everything but $screen_content, expect perhaps /^[^_]+$/ (which would match anything that didn't have a _ in it. Not ideal, but i'm drawing a blank on other ways to achieve this. If there's no way to define an entirely negated regex, then we should perhaps consider adding a property like: eventhandler.escape.html.match.except or something like that. P.S. I just noticed that this conversation is on the general@ list. This would be better on the user@ list (where there are more people watching). On Wed, Feb 4, 2009 at 12:46 PM, dcree...@yahoo.com <dcree...@yahoo.com> wrote: > Hi Nathan - thanks. Any one have any additional thoughts on this? Beginning > to believe that without writing my own plugin to Velocity escaping HTML in > Velocity Layout Servlet is impossible (short of putting in some sort of > escape tag). > > Thanks, > > Dave > > --- On Mon, 2/2/09, Nathan Bubna <nbu...@gmail.com> wrote: > >> From: Nathan Bubna <nbu...@gmail.com> >> Subject: Re: Escaping HTML with Velocity Layout Servlet >> To: "general" <general@velocity.apache.org>, "dcreed97" <dcree...@yahoo.com> >> Date: Monday, February 2, 2009, 1:14 PM >> Hmm. That's odd that nothing gets escaped in the screen >> when you set >> "eventhandler.escape.html.match to >> /^screen_content/". I'll have to >> try this out myself, as i'm fairly sure that should >> have done the >> trick. >> >> 2009/1/29 dcree...@yahoo.com <dcree...@yahoo.com>: >> > Hi - >> > >> > I couldn't find an answer to this in the list >> archives or with general web search. I am trying to escape >> HTML when displaying user entered data for typical usual >> reasons of not having my app open to CSS attack. >> > >> > I have setup the EscapeHtmlReference code and it works >> fine, but the issue is that using the layout servlet, it >> appears that html escaping tool either escapes the entire >> $screen_content value or, by setting >> eventhandler.escape.html.match to /^screen_content/, none of >> it. It appears that the tool isn't aware (or >> doesn't have visibility into) of the pre merged state of >> everything below $screen_content, and so merges everything >> and then escapes everything in $screen_content. >> > >> > Is there an HTML reference escaper that is aware of >> layouts and can properly handle this situation (i.e., >> don't just escape $screen_content - escape everything in >> the template content). >> > >> > Thank you for any thoughts, >> > >> > Dave >> > >> > >> > >> > >> > >> --------------------------------------------------------------------- >> > To unsubscribe, e-mail: >> general-unsubscr...@velocity.apache.org >> > For additional commands, e-mail: >> general-h...@velocity.apache.org >> > >> > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@velocity.apache.org > For additional commands, e-mail: general-h...@velocity.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@velocity.apache.org For additional commands, e-mail: general-h...@velocity.apache.org