Will Glass-Husain wrote:
That article is a little out of date-- it's relative to Velocity 1.4 not
1.5. (we should fix it).
My take is that the primary problem cross-site-scripting is not the static
text but user entered text. I prefer the solution of just using a
ReferenceInsertionHandler and modify the references themselves as that's the
only place user-entered text can come into a page.
If you want to escape the HTML in an entire page, I'd suggest writing a
simple Servlet filter to do this. Apache Commons has a EscapeUtils class
(we use it in Velocity 1.5) that makes escaping easy.
????
Well, how would the filter know which parts need to be escaped? Wouldn't
it then translate even the opening <html> tag into <html> ??
Of course, the file approach could work, I suppose, but not so simply.
AFAICS, you could stick in markers in the intermeidate output to the
filter, that marked where reference output started and ended, so then $x
gets translated in the intermediate stream into:
<reference>[whatever x actually is]</reference>
and then the filter produces the final output by passing through
everything that is not a reference element and with the reference
elements, it removes the reference tags and escapes the text inside them.
But that's a fairly baroque soution to this whole issue... And for
people to have to jury-rig solutions like this to such basic problems is
really a bit much too...
The basic problem here is that Velocity is really underpowered, it lacks
very basic things. A disposition to deal with this escaping issue is
just one example. I honestly don't know how many man-hours of labor have
been wasted out there, where people start using Velocity and then
discover that it's just not really powerful enough and then have to
switch to something like FreeMarker that has these kinds of features,
that are really very basic to templating in the web space.
Jonathan Revusky
--
lead developer, FreeMarker project, http://freemarker.org/
WILL
On Sun, Aug 3, 2008 at 7:38 PM, vinodtr <[EMAIL PROTECTED]> wrote:
Hi,
I happened to see this article on apache velocity.
http://wiki.apache.org/velocity/BuildingSecureWebApplications
In this wiki, in the section "Encode HTML special characters to avoid
cross-scripting vulnerabilities.", Example 3 says about writing a macro for
fixing this issue[unimplemented].
Can this concept widened to escape html in whole velocity pages in one shot
?
wglass wrote:
Hi,
The ability to set an event handler in the velocity.properties is new in
v
1.5. Previously you had to use an API call to attach the event handler
to
the context before merging the template. More info inthe developer guide
for v 1.4.
WILL
On Sun, Aug 3, 2008 at 5:17 AM, vinodtr <[EMAIL PROTECTED]> wrote:
Hi Chris,
Thanks for your reply. It was of gr8 help. I would also like to know if
there is any remote chance of extending the EscapeHtmlReference +
ReferenceInsertionEventHandler mechanism present in Java 1.5 ??
Velocity 1.4 contains the ReferenceInsertionEventHandler class; but no
EscapeHtmlReference.
While loading the velocity engine, velocity.properties is consulted and
all
referenceInsertionEventHandlers are loaded. If i can create a class
MyEscapeHtmlReferenceand specify it in velocity.properties like
eventhandler.referenceinsertion.class =
org.apache.velocity.app.event.implement.MyEscapeHtmlReference
wil this work ? Its not working for me. What could be the problem ?
Correct
me if i am wrong !
Thanks in advance
vinodtr
Christopher Schultz-2 wrote:
Vinodtr,
vinodtr wrote:
I am now using Apache Velocity 1.4 in my project. I would like to
incorporate the escaping HTML feature in my project without bringing
in
Velocity 1.5. I could find that there is a tool called EscapeTool to
achieve
it. But to do that, i need to change all my velocity templates to
enclose
all fields inside $esc.html($form.bean.XXXX).
This is the best way to achieve HTML escaping. If you'd like, you can
write a short macro like this:
#macro(htmlEscape $text)#if($text)$esc.html($text)#end#end
This will allow you to change the implementation more easily in the
future if you wish.
I would like to if there is any way to achieve HTML escaping as a
whole
with
velocity 1.4 itself.
The only way to do this would be to override the implementation of
Velocity's "toString" behavior when writing variable values to an
output
stream.
You wouldn't want to do this globally, though, because some values
should not be HTML escaped.
I think your best bet is to escape them individually as you have
demonstrated above. Yes, it's a lot of work, but that tends to be the
case when you want to go back and add something like this. That's the
penalty for not planning ahead.
-chris
--
View this message in context:
http://www.nabble.com/Escaping-HTML-in-Velocity-1.4-tp18785489p18798132.html
Sent from the Velocity - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Forio Business Simulations
Will Glass-Husain
[EMAIL PROTECTED]
www.forio.com
--
View this message in context:
http://www.nabble.com/Escaping-HTML-in-Velocity-1.4-tp18785489p18804815.html
Sent from the Velocity - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
