Re: Escaping HTML with Velocity Layout Servlet

Wed, 04 Feb 2009 12:46:45 -0800 

Hi Nathan - thanks.  Any one have any additional thoughts on this?  Beginning 
to believe that without writing my own plugin to Velocity escaping HTML in 
Velocity Layout Servlet is impossible (short of putting in some sort of escape 
tag).

Thanks,

Dave

--- On Mon, 2/2/09, Nathan Bubna <nbu...@gmail.com> wrote:

> From: Nathan Bubna <nbu...@gmail.com>
> Subject: Re: Escaping HTML with Velocity Layout Servlet
> To: "general" <general@velocity.apache.org>, "dcreed97" <dcree...@yahoo.com>
> Date: Monday, February 2, 2009, 1:14 PM
> Hmm.  That's odd that nothing gets escaped in the screen
> when you set
> "eventhandler.escape.html.match to
> /^screen_content/".  I'll have to
> try this out myself, as i'm fairly sure that should
> have done the
> trick.
> 
> 2009/1/29 dcree...@yahoo.com <dcree...@yahoo.com>:
> > Hi -
> >
> > I couldn't find an answer to this in the list
> archives or with general web search.  I am trying to escape
> HTML when displaying user entered data for typical usual
> reasons of not having my app open to CSS attack.
> >
> > I have setup the EscapeHtmlReference code and it works
> fine, but the issue is that using the layout servlet, it
> appears that html escaping tool either escapes the entire
> $screen_content value or, by setting
> eventhandler.escape.html.match to /^screen_content/, none of
> it.  It appears that the tool isn't aware (or
> doesn't have visibility into) of the pre merged state of
> everything below $screen_content, and so merges everything
> and then escapes everything in $screen_content.
> >
> > Is there an HTML reference escaper that is aware of
> layouts and can properly handle this situation (i.e.,
> don't just escape $screen_content - escape everything in
> the template content).
> >
> > Thank you for any thoughts,
> >
> > Dave
> >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> general-unsubscr...@velocity.apache.org
> > For additional commands, e-mail:
> general-h...@velocity.apache.org
> >
> >


      

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@velocity.apache.org
For additional commands, e-mail: general-h...@velocity.apache.org

Reply via email to