florin.g wrote:
- Built in security (cross site, sql injection, etc.)
I think SQL injection is better handled by the DB layer e.g. an ORM or
PreparedStatement.
As for XSS attacks Click controls provides some protection by escaping
their values before rendering. However XSS will still be possible
through Velocity variables unless they are escaped using
Format#html(String):
$format.html($msg)
Velocity also provides a property to escape all variables or
optionally to escape only variables matching a certain expression.
Still the best way is probably through an XSSFilter which ensures all
HTML entities are escaped. Is this what you had in mind or something else?
kind regards
bob
