You can always have the reference handler to selectively escape or omit
references. With the EscapeHtmlReference in Velocity 1.5 you can use
regular expressions to identify references to escape.
WILL
On Sun, Aug 3, 2008 at 8:46 PM, Christopher Schultz <
[EMAIL PROTECTED]> wrote:
> Will,
>
> Will Glass-Husain wrote:
>
>> My take is that the primary problem cross-site-scripting is not the static
>> text but user entered text. I prefer the solution of just using a
>> ReferenceInsertionHandler and modify the references themselves as that's
>> the
>> only place user-entered text can come into a page.
>>
>
> A word of caution, here to the OP: many references are not appropriate to
> escape. Here's an instance we come across all the time where escaping is not
> appropriate: localized messages stored in bundles.
>
> We often have a message bundle like this:
>
> some.link=Please make <i>sure</i> that you know what you are doing!
>
> In order to access this message using, say, struts' message tool, you would
> do this:
>
> $msg.get('some.link')
>
> If you change your reference handler to escape everything, then you'll end
> up rendering "<i>sure</i>" as-is, instead of the intended stress on the word
> "sure".
>
> -chris
>
>
--
Forio Business Simulations
Will Glass-Husain
[EMAIL PROTECTED]
www.forio.com
