vinodtr wrote:
Hi all,
So after all these discussions, I could understand that this issue of cross
site scripting can be fixed in all pages at one go only by bringing in
velocity 1.5. If i am sticking with 1.4, i need to use the EscapeTool to
wrap all user entered fields. Am i right ? There is no one step fix in
velocity 1.4 and there is no scope of extending the velocity 1.4 API to
bring in the 1.5 fix in this, am i right ? correct me if i am wrong !
I don't think that Velocity 1.5 really fixes this. You can have it
escape all the variables that the template outputs, but as Christopher
Schultz points out, you sometimes need to turn off the escaping, and
AFAICS, Velocity 1.5 doesn't address that (fairly obviously) use case.
AFAICS, you can only turn on the escaping globally.
Also, there are these niggling details, like the fact that the escaping
may need to be a tad different within a <SCRIPT>...<SCRIPT> block that
contains javascript as opposed to one that contains HTML. So, obviously,
the ability to escape the output of variables in an entire page is too
crude an instrument (aside from the fact that there is no disposition
for turning it off from within the page, at least)...
Now, this kind of thing has been addressed in FreeMarker for ages, like
5 or even 6 years. See:
http://freemarker.org/docs/ref_directive_escape.html
That said, I actually don't think that this is a complete and
satisfactory solution to the whole escaping problem. But, of course, it
is providing you with the means to address this, even if the solution is
imperfect.
Really, the proposal that you type #htmlesecape($var) every time you
output a variable strikes me as verging on the absurd. If a flaw this
basic in FreeMarker were pointed out, I think the discussion would very
quickly shift to how to add some functionality to the tool that
addresses the problem. It is very telling IMO that, here, even the
supposed developers of the tool talk of its feature set as if it was
something fixed that they can't really doing anything about (!)
Regards,
Jonathan Revusky
--
lead developer, FreeMarker project, http://freemarker.org/
thanks much
wglass wrote:
You can always have the reference handler to selectively escape or omit
references. With the EscapeHtmlReference in Velocity 1.5 you can use
regular expressions to identify references to escape.
WILL
On Sun, Aug 3, 2008 at 8:46 PM, Christopher Schultz <
[EMAIL PROTECTED]> wrote:
Will,
Will Glass-Husain wrote:
My take is that the primary problem cross-site-scripting is not the
static
text but user entered text. I prefer the solution of just using a
ReferenceInsertionHandler and modify the references themselves as that's
the
only place user-entered text can come into a page.
A word of caution, here to the OP: many references are not appropriate to
escape. Here's an instance we come across all the time where escaping is
not
appropriate: localized messages stored in bundles.
We often have a message bundle like this:
some.link=Please make sure that you know what you are doing!
In order to access this message using, say, struts' message tool, you
would
do this:
$msg.get('some.link')
If you change your reference handler to escape everything, then you'll
end
up rendering "sure" as-is, instead of the intended stress on the word
"sure".
-chris
--
Forio Business Simulations
Will Glass-Husain
[EMAIL PROTECTED]
www.forio.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
