On Tue, 20 Nov 2001, Jeff Schnitzer wrote:
> Date: Tue, 20 Nov 2001 17:23:48 -0800
> From: Jeff Schnitzer <[EMAIL PROTECTED]>
> Reply-To: Jakarta General List <[EMAIL PROTECTED]>
> To: Jakarta General List <[EMAIL PROTECTED]>
> Subject: RE: Cross site scripting
>
> > From: Jon Stevens [mailto:[EMAIL PROTECTED]]
> >
> >Does anyone have code they want to contribute to get this started? How
> are
> >you currently dealing with these issues? What is your favorite way to
> escape
> >things? Do you filter/escape all content or only some content? Etc.
>
> In the world of XSL, I think these issues are already taken care of. At
> least in a "domified" approach, the data only ever gets translated into
> XML as a final step, and the XSL processor automatically escapes
> anything that will have XML or HTML meaning.
>
> In the world of JSP, I would expect that bean-access custom tags would
> do this escaping. Do the Struts taglibs or any of the jakarta taglibs
> take care of this?
>
Struts does, by default. On a few tags you can explicitly turn this off
if you are willing to take the risks.
Struts does, unless you explicitly tell it not to. As long as you use
tags like <bean:write>
> In the world of Velocity... is there a switch that can be set on
> Velocity to automatically escape anything with XML/HTML meaning? Should
> there be?
>
> Of course, all these effectively disable _all_ htmlish tags, which might
> not be wholly desirable... still, it seems to me that that the best
> approach is to escape everything and then selectively translate *back*
> only the tags you want working (like <b>).
>
That seems like a lot of extra work, and is unnecessary if all the dynamic
output is processed appropriately.
> Jeff Schnitzer
> [EMAIL PROTECTED]
>
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
