Hi, I happened to see this article on apache velocity.
http://wiki.apache.org/velocity/BuildingSecureWebApplications In this wiki, in the section "Encode HTML special characters to avoid cross-scripting vulnerabilities.", Example 3 says about writing a macro for fixing this issue[unimplemented]. Can this concept widened to escape html in whole velocity pages in one shot ? wglass wrote: > > Hi, > > The ability to set an event handler in the velocity.properties is new in v > 1.5. Previously you had to use an API call to attach the event handler to > the context before merging the template. More info inthe developer guide > for v 1.4. > > WILL > > On Sun, Aug 3, 2008 at 5:17 AM, vinodtr <[EMAIL PROTECTED]> wrote: > >> >> Hi Chris, >> >> Thanks for your reply. It was of gr8 help. I would also like to know if >> there is any remote chance of extending the EscapeHtmlReference + >> ReferenceInsertionEventHandler mechanism present in Java 1.5 ?? >> >> Velocity 1.4 contains the ReferenceInsertionEventHandler class; but no >> EscapeHtmlReference. >> While loading the velocity engine, velocity.properties is consulted and >> all >> referenceInsertionEventHandlers are loaded. If i can create a class >> MyEscapeHtmlReferenceand specify it in velocity.properties like >> >> eventhandler.referenceinsertion.class = >> org.apache.velocity.app.event.implement.MyEscapeHtmlReference >> >> wil this work ? Its not working for me. What could be the problem ? >> Correct >> me if i am wrong ! >> >> Thanks in advance >> vinodtr >> >> >> Christopher Schultz-2 wrote: >> > >> > Vinodtr, >> > >> > vinodtr wrote: >> >> I am now using Apache Velocity 1.4 in my project. I would like to >> >> incorporate the escaping HTML feature in my project without bringing >> in >> >> Velocity 1.5. I could find that there is a tool called EscapeTool to >> >> achieve >> >> it. But to do that, i need to change all my velocity templates to >> enclose >> >> all fields inside $esc.html($form.bean.XXXX). >> > >> > This is the best way to achieve HTML escaping. If you'd like, you can >> > write a short macro like this: >> > >> > #macro(htmlEscape $text)#if($text)$esc.html($text)#end#end >> > >> > This will allow you to change the implementation more easily in the >> > future if you wish. >> > >> >> I would like to if there is any way to achieve HTML escaping as a >> whole >> >> with >> >> velocity 1.4 itself. >> > >> > The only way to do this would be to override the implementation of >> > Velocity's "toString" behavior when writing variable values to an >> output >> > stream. >> > >> > You wouldn't want to do this globally, though, because some values >> > should not be HTML escaped. >> > >> > I think your best bet is to escape them individually as you have >> > demonstrated above. Yes, it's a lot of work, but that tends to be the >> > case when you want to go back and add something like this. That's the >> > penalty for not planning ahead. >> > >> > -chris >> > >> > >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/Escaping-HTML-in-Velocity-1.4-tp18785489p18798132.html >> Sent from the Velocity - Dev mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > -- > Forio Business Simulations > > Will Glass-Husain > [EMAIL PROTECTED] > www.forio.com > > -- View this message in context: http://www.nabble.com/Escaping-HTML-in-Velocity-1.4-tp18785489p18804815.html Sent from the Velocity - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
