Hi, Might be okay then. Don't most of the problems with cross-site scripting vulnerabilities occur with user-entered text that is then displayed. The point is to prevent a user from inputing <SCRIPT> by turning it into <SCRIPT>. I'd think that this would almost always occur via a Velocity reference.
If an HTML escaping filter affects the output of references, this would solve that issue. WILL ----- Original Message ----- From: "Peter Romianowski" <[EMAIL PROTECTED]> To: "Velocity Developers List" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 12:53 PM Subject: Re: Proposal: Filters > Daniel Dekany wrote: > > > Monday, June 23, 2003, 7:37:11 PM, Will Glass-Husain wrote: > > > > > >>Hi Peter, > >> > >>Another useful capability the filter mechanism could implement is escaping > >>of HTML characters to prevent cross-site scripting vulnerabilities. I think > >>Daniel Dekany suggested this. > >> > >>http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED] apache.org&msgId=724515 > > > > > > That can't be implemented as a filter, because that escapes only the > > output of $foo-s. So if you write: > > Daniel, > > You're right. The initial proposal only affects rendered text. Perhaps it > would make sence to widen up the proposal to support use cases like the #escape > thing. I am not really sure how to implement this, though. The first idea that > comes into my mind w/o looking at the source is to have some kind of event that > is thrown whenever something is added to the output. Otherwise I would not know > how to "monitor" the VTL. Is there already something in the core that let's you > implement something like the #escape-thing? I will look a bit closer into the > source while I am thinking about all this. > > Regards, > Peter > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
