Hi all,
So after all these discussions, I could understand that this issue of cross
site scripting can be fixed in all pages at one go only by bringing in
velocity 1.5. If i am sticking with 1.4, i need to use the EscapeTool to
wrap all user entered fields. Am i right ? There is no one step fix in
velocity 1.4 and there is no scope of extending the velocity 1.4 API to
bring in the 1.5 fix in this, am i right ? correct me if i am wrong !
thanks much
wglass wrote:
>
> You can always have the reference handler to selectively escape or omit
> references. With the EscapeHtmlReference in Velocity 1.5 you can use
> regular expressions to identify references to escape.
>
> WILL
>
> On Sun, Aug 3, 2008 at 8:46 PM, Christopher Schultz <
> [EMAIL PROTECTED]> wrote:
>
>> Will,
>>
>> Will Glass-Husain wrote:
>>
>>> My take is that the primary problem cross-site-scripting is not the
>>> static
>>> text but user entered text. I prefer the solution of just using a
>>> ReferenceInsertionHandler and modify the references themselves as that's
>>> the
>>> only place user-entered text can come into a page.
>>>
>>
>> A word of caution, here to the OP: many references are not appropriate to
>> escape. Here's an instance we come across all the time where escaping is
>> not
>> appropriate: localized messages stored in bundles.
>>
>> We often have a message bundle like this:
>>
>> some.link=Please make sure that you know what you are doing!
>>
>> In order to access this message using, say, struts' message tool, you
>> would
>> do this:
>>
>> $msg.get('some.link')
>>
>> If you change your reference handler to escape everything, then you'll
>> end
>> up rendering "sure" as-is, instead of the intended stress on the word
>> "sure".
>>
>> -chris
>>
>>
>
>
> --
> Forio Business Simulations
>
> Will Glass-Husain
> [EMAIL PROTECTED]
> www.forio.com
>
>
--
View this message in context:
http://www.nabble.com/Escaping-HTML-in-Velocity-1.4-tp18785489p18805575.html
Sent from the Velocity - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
