Monday, June 23, 2003, 9:53:50 PM, Peter Romianowski wrote: > Daniel Dekany wrote: > >> Monday, June 23, 2003, 7:37:11 PM, Will Glass-Husain wrote: >> >> >>>Hi Peter, >>> >>>Another useful capability the filter mechanism could implement is escaping >>>of HTML characters to prevent cross-site scripting vulnerabilities. I think >>>Daniel Dekany suggested this. >>> >>>http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgId=724515 >> >> >> That can't be implemented as a filter, because that escapes only the >> output of $foo-s. So if you write: > > Daniel, > > You're right. The initial proposal only affects rendered text. Perhaps it > would make sence to widen up the proposal to support use cases like the #escape > thing. I am not really sure how to implement this, though. The first idea that > comes into my mind w/o looking at the source is to have some kind of event that > is thrown whenever something is added to the output. Otherwise I would not know > how to "monitor" the VTL.
I don't think that filtering should deal with automatic escaping. These are two different animals. To implement automatic escaping, most probably you should hack the code that builds the tree from the template. OTOH, a filter is just a Writer that writes into another Writer. > Is there already something in the core that let's you implement > something like the #escape-thing? I don't know... I'm not even Velocity user, so... you see. The only thing what I can say, be risking lynching :), that you may eye FreeMarker Manual and source code (it has automatic escaping, and filters too (called "transform")). > I will look a bit closer into the source while I am thinking about all > this. I say, don't deal with escaping when you are dealing with the filter feature. This two thing most probably do not cross each-other. -- Best regards, Daniel Dekany --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
