I don't know of a way to do this, but I'm sure it's possible. One
thing you could do is use wiki syntax in your i18n bundles and then
add some sort of extra processing step that converts those to HTML.
The danger isn't in the i18n bundles, it's in the user entered data.

Matt

On 1/27/08, Rob Hills <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> While testing my app (AppFuse 2.0.1 + Struts2) I noticed a success message 
> from my ApplicationResources.properties file
> displaying the raw HTML markup (<strong> ... ) rather than processing it.
>
> A Google Search led me to APF 880 in which HTML was removed from 
> AR.properties because of potential XSS holes and
> messages.jsp was changed to escape HTML.
>
> I had originally started my app in AppFuse 2.0 and then upgraded to 2.0.1.  
> In the process, I missed the step of removing
> markup from my ApplicationResources.properties file.
>
> My problem is that I quite liked the ability to mark up the messages and I'm 
> wondering if there's any _safe_ way of
> reinstating that capability.  I know I could just edit my messages.jsp and 
> put "escapeXml=true" in my c:out tags, but of
> course I'd be re-introducing the XSS risk.
>
> Could it be possible to not escape the text of the 18n message, but to escape 
> any variables included in it?
>
> TIA,
> Rob Hills
> Waikiki, Western Australia
> Mobile +61 (412) 904-357
> Fax: +61 (8) 9529-2137
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to