2009/2/6 Byron Foster <[email protected]> > On Feb 5, 2009, at 21:45 , Leon sdh5724 wrote: > > Dear Devs, >> Velocity is a great opensource component for weg page render. We >> deploy it on our site that render dynamic web pages more than 1 billion >> pages everyday. >> > > Wow, 1 Billion... That's traffic.yes, a big traffic. > > But velocity have no security protected xss + csrf attack. Every render >> reference point need programmer writing code as >> "$stringEscapedUtil.escapedHtml($ref)". But the such code will be forgoten >> by programmer, especialy a newbie. So security can not be handled at every >> output. >> Infact, every web page output need to be html encode , about more than >> 90%. The best solution we shuold do html encode for every output refrence >> with default.Some spec Macro directive left 10% content output. >> The attachment is my demo code (Infact we have deploy it in our product >> enviroment). The code implementation is very ugly, but bring us security >> sophisticated. Maybe it can bring Velocity Dev Team some idea on web >> security. >> Sorry for my code's coment writing in chinese. I think the code is very >> simple. I explain it now: >> 1. html/xml encode part, I copy it from apache commons component, and >> rewrite it for performace issue and remove encode for non-ascii unicode. >> Encode all unicode chars are not wize , cause more large web page and cause >> debug problem. >> > > But it looks like you do escape many non-ascii unicode characters in the > case of HTML40 which includes the arrays ISO8859_1_ARRAY and HTML40_ARRAY. > Any reason why you escape these?
--These chars come from w3c spec. Some chars are very dangrous on windows ie platform. Our security team require encode these chars. So I copy the chars to my code. That's all. > > > Anway, thanks for sharing. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
