Monday, June 23, 2003, 7:37:11 PM, Will Glass-Husain wrote:
Hi Peter,
Another useful capability the filter mechanism could implement is escaping of HTML characters to prevent cross-site scripting vulnerabilities. I think Daniel Dekany suggested this.
http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgId=724515
That can't be implemented as a filter, because that escapes only the output of $foo-s. So if you write:
Daniel,
You're right. The initial proposal only affects rendered text. Perhaps it would make sence to widen up the proposal to support use cases like the #escape thing. I am not really sure how to implement this, though. The first idea that comes into my mind w/o looking at the source is to have some kind of event that is thrown whenever something is added to the output. Otherwise I would not know how to "monitor" the VTL. Is there already something in the core that let's you implement something like the #escape-thing? I will look a bit closer into the source while I am thinking about all this.
Regards, Peter
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
