Actually, we don't really want to be putting those escapes into the
velocity macros in the trunk anymore. The better solution is to escape
that data in the pojo wrappers so that it's guaranteed to be escaped in
templates no matter what people do.
I have already done that for the comment pojo wrapper, but we should
probably do a general audit of all the pojo wrappers and add those html
escape calls to all places where it makes sense.
-- Allen
[EMAIL PROTECTED] wrote:
Author: snoopdave
Date: Fri May 18 13:08:18 2007
New Revision: 539584
URL: http://svn.apache.org/viewvc?view=rev&rev=539584
Log:
Oops, we missed this comment field when we added XSS preventing escapeing
Modified:
roller/trunk/web/WEB-INF/velocity/weblog.vm
Modified: roller/trunk/web/WEB-INF/velocity/weblog.vm
URL:
http://svn.apache.org/viewvc/roller/trunk/web/WEB-INF/velocity/weblog.vm?view=diff&rev=539584&r1=539583&r2=539584
==============================================================================
--- roller/trunk/web/WEB-INF/velocity/weblog.vm (original)
+++ roller/trunk/web/WEB-INF/velocity/weblog.vm Fri May 18 13:08:18 2007
@@ -196,7 +196,7 @@
<p class="comment-details">
$text.get("macro.weblog.postedby")
#if (!$utils.isEmpty($comment.name) &&
!$utils.isEmpty($comment.url))
- <a rel="nofollow"
href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
+ <a rel="nofollow"
href="$utils.escapeHTML($comment.url)"><b>$utils.escapeHTML($comment.name)</b></a>
#elseif (!$utils.isEmpty($comment.name))
<b>$utils.escapeHTML($comment.name)</b>
#elseif ($comment.remoteHost)
