[displaytag-devel] [jira] Created: (DISPL-664) Default escapeXml behavior should be configurable for environments that want to escape by default

Wed, 24 Nov 2010 11:49:48 -0800 

Default escapeXml behavior should be configurable for environments that want to 
escape by default
-------------------------------------------------------------------------------------------------

                 Key: DISPL-664
                 URL: http://jira.codehaus.org/browse/DISPL-664
             Project: DisplayTag
          Issue Type: Improvement
          Components: Configuration, Tag Library
    Affects Versions: 1.2
            Reporter: Dan L


DISPL-80 (http://jira.codehaus.org/browse/DISPL-80) added the escapeXml 
attribute to the display:column tag.  However, it was added so that columns 
don't escape by default -- you need to add the property to enable the escaping.

There are many security and application development arguments that could be 
made in favor of an escape-by-default strategy -- e.g. every column should 
escape xml by default unless explicitly told otherwise because if the developer 
is forced to explicitly turn off escaping, he is forced to consider whether he 
has addressed all potential html injection attack vectors.  

However, I don't want to turn this into a 
philosophical/backwards-compatibility/whatever issue.  We can keep the 
don't-escape-by-default behavior, but at the very least, this behavior should 
be customizable to support development environments that take a more 
conservative view to this type of thing.  An overridable property in 
displaytag.properties to control the default escaping behavior would be the way 
to go.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
displaytag-devel mailing list
displaytag-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/displaytag-devel

Reply via email to