Will, Will Glass-Husain wrote:
My take is that the primary problem cross-site-scripting is not the static text but user entered text. I prefer the solution of just using a ReferenceInsertionHandler and modify the references themselves as that's the only place user-entered text can come into a page.
A word of caution, here to the OP: many references are not appropriate to escape. Here's an instance we come across all the time where escaping is not appropriate: localized messages stored in bundles.
We often have a message bundle like this: some.link=Please make <i>sure</i> that you know what you are doing!In order to access this message using, say, struts' message tool, you would do this:
$msg.get('some.link')
If you change your reference handler to escape everything, then you'll
end up rendering "<i>sure</i>" as-is, instead of the intended stress on
the word "sure".
-chris
signature.asc
Description: OpenPGP digital signature
