[please use [email protected] There are several ways to ease the escaping process. You can create a ReferenceInsertionEventHandler filter that will escape all critical references, based on whatever criteria you need - for instance, the filter can be initialized with a text file containing critical reference names (or regex), and automatically apply filtering on them.
Claude On ven, 2009-02-06 at 12:45 +0800, Leon sdh5724 wrote: > Dear Devs, > Velocity is a great opensource component for weg page render. We > deploy it on our site that render dynamic web pages more than 1 > billion pages everyday. But velocity have no security protected xss + > csrf attack. Every render reference point need programmer writing code > as "$stringEscapedUtil.escapedHtml($ref)". But the such code will be > forgoten by programmer, especialy a newbie. So security can not be > handled at every output. > Infact, every web page output need to be html encode , about more > than 90%. The best solution we shuold do html encode for every output > refrence with default.Some spec Macro directive left 10% content > output. The attachment is my demo code (Infact we have deploy it in > our product enviroment). The code implementation is very ugly, but > bring us security sophisticated. Maybe it can bring Velocity Dev Team > some idea on web security. > Sorry for my code's coment writing in chinese. I think the code is > very simple. I explain it now: > 1. html/xml encode part, I copy it from apache commons component, > and rewrite it for performace issue and remove encode for non-ascii > unicode. Encode all unicode chars are not wize , cause more large web > page and cause debug problem. > 2. I implement xml/html/javascript/XSS filtter. I think Xss > filter shuold be optional, because it has many security rules. > > It is ONLY a adive. > > Leon Liu > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
