Or just write your own event handler to handle the escaping of references.
It's not that complicated.
WILL
On Sun, Aug 3, 2008 at 9:40 PM, vinodtr <[EMAIL PROTECTED]> wrote:
>
>
> Hi all,
>
> So after all these discussions, I could understand that this issue of cross
> site scripting can be fixed in all pages at one go only by bringing in
> velocity 1.5. If i am sticking with 1.4, i need to use the EscapeTool to
> wrap all user entered fields. Am i right ? There is no one step fix in
> velocity 1.4 and there is no scope of extending the velocity 1.4 API to
> bring in the 1.5 fix in this, am i right ? correct me if i am wrong !
>
> thanks much
>
>
>
> wglass wrote:
> >
> > You can always have the reference handler to selectively escape or omit
> > references. With the EscapeHtmlReference in Velocity 1.5 you can use
> > regular expressions to identify references to escape.
> >
> > WILL
> >
> > On Sun, Aug 3, 2008 at 8:46 PM, Christopher Schultz <
> > [EMAIL PROTECTED]> wrote:
> >
> >> Will,
> >>
> >> Will Glass-Husain wrote:
> >>
> >>> My take is that the primary problem cross-site-scripting is not the
> >>> static
> >>> text but user entered text. I prefer the solution of just using a
> >>> ReferenceInsertionHandler and modify the references themselves as
> that's
> >>> the
> >>> only place user-entered text can come into a page.
> >>>
> >>
> >> A word of caution, here to the OP: many references are not appropriate
> to
> >> escape. Here's an instance we come across all the time where escaping is
> >> not
> >> appropriate: localized messages stored in bundles.
> >>
> >> We often have a message bundle like this:
> >>
> >> some.link=Please make sure that you know what you are doing!
> >>
> >> In order to access this message using, say, struts' message tool, you
> >> would
> >> do this:
> >>
> >> $msg.get('some.link')
> >>
> >> If you change your reference handler to escape everything, then you'll
> >> end
> >> up rendering "sure" as-is, instead of the intended stress on the word
> >> "sure".
> >>
> >> -chris
> >>
> >>
> >
> >
> > --
> > Forio Business Simulations
> >
> > Will Glass-Husain
> > [EMAIL PROTECTED]
> > www.forio.com
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Escaping-HTML-in-Velocity-1.4-tp18785489p18805575.html
> Sent from the Velocity - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Forio Business Simulations
Will Glass-Husain
[EMAIL PROTECTED]
www.forio.com
