On Feb 5, 2009, at 21:45 , Leon sdh5724 wrote:
Dear Devs,
Velocity is a great opensource component for weg page render.
We deploy it on our site that render dynamic web pages more than 1
billion pages everyday.
Wow, 1 Billion... That's traffic.
But velocity have no security protected xss + csrf attack. Every
render reference point need programmer writing code as
"$stringEscapedUtil.escapedHtml($ref)". But the such code will be
forgoten by programmer, especialy a newbie. So security can not be
handled at every output.
Infact, every web page output need to be html encode , about
more than 90%. The best solution we shuold do html encode for every
output refrence with default.Some spec Macro directive left 10%
content output.
The attachment is my demo code (Infact we have deploy it in our
product enviroment). The code implementation is very ugly, but
bring us security sophisticated. Maybe it can bring Velocity Dev
Team some idea on web security.
Sorry for my code's coment writing in chinese. I think the code
is very simple. I explain it now:
1. html/xml encode part, I copy it from apache commons
component, and rewrite it for performace issue and remove encode for
non-ascii unicode. Encode all unicode chars are not wize , cause
more large web page and cause debug problem.
But it looks like you do escape many non-ascii unicode characters in
the case of HTML40 which includes the arrays ISO8859_1_ARRAY and
HTML40_ARRAY. Any reason why you escape these?
Anway, thanks for sharing.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
