If I understand what you're saying, escaping of HTML characters should ONLY work with references, but Peter's Filter proposal works on all text.
Is it feasible to implement a solution that allows the filter developer to specify A) applies to all text or B) applies only to evaluated references? WILL ----- Original Message ----- From: "Daniel Dekany" <[EMAIL PROTECTED]> To: "Velocity Developers List" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 12:08 PM Subject: Re: Proposal: Filters > Monday, June 23, 2003, 7:37:11 PM, Will Glass-Husain wrote: > > > Hi Peter, > > > > Another useful capability the filter mechanism could implement is escaping > > of HTML characters to prevent cross-site scripting vulnerabilities. I think > > Daniel Dekany suggested this. > > > > http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgId=724515 > > That can't be implemented as a filter, because that escapes only the > output of $foo-s. So if you write: > > #escape(html) > ... > <p><b>Title: </b> $title > ... > #end > > then, assuming that the value of title is "Rome & Juliet", the output > is: > > ... > <p><b>Title: </b> Romeo & Juliet > ... > > Only the $title was HTML-escaped, but the static text was not. > > -- > Best regards, > Daniel Dekany > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
