That article is a little out of date-- it's relative to Velocity 1.4 not 1.5. (we should fix it).
My take is that the primary problem cross-site-scripting is not the static text but user entered text. I prefer the solution of just using a ReferenceInsertionHandler and modify the references themselves as that's the only place user-entered text can come into a page. If you want to escape the HTML in an entire page, I'd suggest writing a simple Servlet filter to do this. Apache Commons has a EscapeUtils class (we use it in Velocity 1.5) that makes escaping easy. WILL On Sun, Aug 3, 2008 at 7:38 PM, vinodtr <[EMAIL PROTECTED]> wrote: > > Hi, > > I happened to see this article on apache velocity. > > http://wiki.apache.org/velocity/BuildingSecureWebApplications > > In this wiki, in the section "Encode HTML special characters to avoid > cross-scripting vulnerabilities.", Example 3 says about writing a macro for > fixing this issue[unimplemented]. > Can this concept widened to escape html in whole velocity pages in one shot > ? > > > > wglass wrote: > > > > Hi, > > > > The ability to set an event handler in the velocity.properties is new in > v > > 1.5. Previously you had to use an API call to attach the event handler > to > > the context before merging the template. More info inthe developer guide > > for v 1.4. > > > > WILL > > > > On Sun, Aug 3, 2008 at 5:17 AM, vinodtr <[EMAIL PROTECTED]> wrote: > > > >> > >> Hi Chris, > >> > >> Thanks for your reply. It was of gr8 help. I would also like to know if > >> there is any remote chance of extending the EscapeHtmlReference + > >> ReferenceInsertionEventHandler mechanism present in Java 1.5 ?? > >> > >> Velocity 1.4 contains the ReferenceInsertionEventHandler class; but no > >> EscapeHtmlReference. > >> While loading the velocity engine, velocity.properties is consulted and > >> all > >> referenceInsertionEventHandlers are loaded. If i can create a class > >> MyEscapeHtmlReferenceand specify it in velocity.properties like > >> > >> eventhandler.referenceinsertion.class = > >> org.apache.velocity.app.event.implement.MyEscapeHtmlReference > >> > >> wil this work ? Its not working for me. What could be the problem ? > >> Correct > >> me if i am wrong ! > >> > >> Thanks in advance > >> vinodtr > >> > >> > >> Christopher Schultz-2 wrote: > >> > > >> > Vinodtr, > >> > > >> > vinodtr wrote: > >> >> I am now using Apache Velocity 1.4 in my project. I would like to > >> >> incorporate the escaping HTML feature in my project without bringing > >> in > >> >> Velocity 1.5. I could find that there is a tool called EscapeTool to > >> >> achieve > >> >> it. But to do that, i need to change all my velocity templates to > >> enclose > >> >> all fields inside $esc.html($form.bean.XXXX). > >> > > >> > This is the best way to achieve HTML escaping. If you'd like, you can > >> > write a short macro like this: > >> > > >> > #macro(htmlEscape $text)#if($text)$esc.html($text)#end#end > >> > > >> > This will allow you to change the implementation more easily in the > >> > future if you wish. > >> > > >> >> I would like to if there is any way to achieve HTML escaping as a > >> whole > >> >> with > >> >> velocity 1.4 itself. > >> > > >> > The only way to do this would be to override the implementation of > >> > Velocity's "toString" behavior when writing variable values to an > >> output > >> > stream. > >> > > >> > You wouldn't want to do this globally, though, because some values > >> > should not be HTML escaped. > >> > > >> > I think your best bet is to escape them individually as you have > >> > demonstrated above. Yes, it's a lot of work, but that tends to be the > >> > case when you want to go back and add something like this. That's the > >> > penalty for not planning ahead. > >> > > >> > -chris > >> > > >> > > >> > > >> > > >> > >> -- > >> View this message in context: > >> > http://www.nabble.com/Escaping-HTML-in-Velocity-1.4-tp18785489p18798132.html > >> Sent from the Velocity - Dev mailing list archive at Nabble.com. > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > -- > > Forio Business Simulations > > > > Will Glass-Husain > > [EMAIL PROTECTED] > > www.forio.com > > > > > > -- > View this message in context: > http://www.nabble.com/Escaping-HTML-in-Velocity-1.4-tp18785489p18804815.html > Sent from the Velocity - Dev mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Forio Business Simulations Will Glass-Husain [EMAIL PROTECTED] www.forio.com
