on 11/20/01 11:54 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote:
> However, Jon is asking for container-based solutions -- I guess that
> requiring the use of Strut tags for all your output qualifies. :-)
>
> Craig
Sigh. I am *not* asking for a container based solution.
Because something got lost in your translation of what I'm saying, just to
be clear, I'm asking for a library that takes a String as input and returns
a String as output and provides the various encoding scheme's for preventing
CSS attacks (it seems like none of them are a magic bullet, but combined,
they do the job depending on the level of protection you need).
Something like:
public class CSSCondom
{
public String getEscapedHtml(String input);
public String getStrippedHtml(String input);
public String removeScriptTags(String input);
}
Velocity has a cool feature where you can attach what are called
EventCartridges to items in the Context so that when they are rendered in a
template, code is executed. This is similar to having a taglib bean return
data that has been 'protected'.
<http://jakarta.apache.org/velocity/developer-guide.html#EventCartridge%20an
d%20Event%20Handlers>
In this case, I'm developing a ReferenceInsertionEventHandler that would
rely on this general CSSCondom library to help protect me from unwanted
outcomes.
Thanks.
-jon
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
