Daniel Dekany wrote:
Monday, June 23, 2003, 7:37:11 PM, Will Glass-Husain wrote:
Hi Peter,
Another useful capability the filter mechanism could implement is escaping
of HTML characters to prevent cross-site scripting vulnerabilities. I think
Daniel Dekany suggested this.
http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]&msgId=724515
That can't be implemented as a filter, because that escapes only the output of $foo-s. So if you write:
Daniel,
You're right. The initial proposal only affects rendered text. Perhaps it
would make sence to widen up the proposal to support use cases like the #escape
thing.
Peter,
Filters and the escaping of variable output are two completely separate things. For example, FreeMarker has had filters (a.k.a. transforms) for a long time. It was introduced before I was actively involved in development -- like version 1.6. The block-escaping stuff was introduced much later -- in the 2.1 cycle.
They're completely different things because a filter or transform is applied at render-time and the variable-escaping stuff is applied at parse time. You figure out which variables are HTML-escaped or whatever when you compile the template and then there is no cost at render-time -- or hardly any.
I am not really sure how to implement this, though. The first
idea that
comes into my mind w/o looking at the source is to have some kind of event that
is thrown whenever something is added to the output.
You shouldn't have to figure out if something needs to be escaped every time you output. It should be figured out once as part of the parse/compile step.
Otherwise I would not know
how to "monitor" the VTL. Is there already something in the core that let's you
implement something like the #escape-thing?
IIRC, supporting this in FreeMarker required a significant refactoring of our codebase. There was a very very big code cleanup/redesign/refactoring that occurred in the 2.0 and 2.1 cycles (since then, things have been more incremental) and that cleanup was what allowed us to move forward on some interesting new functionality.
I will look a bit closer into the
source while I am thinking about all this.
Which source? The Velocity source or the FreeMarker source? ;-)
Cheers,
Jonathan Revusky -- lead developer, FreeMarker project, http://freemarker.org/ FreeMarker-Velocity comparison page, http://freemarker.org/fmVsVel.html FreeMarker 2.3pre5 is out!
Regards, Peter
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
