[Note: I am sending this email for the second time because, apparently, the first email did not make it to the list. Apologies if it did.]
I am considering implementing context-aware escaping in Velocity. For example, in the following snippet: <html> <head> <title>$v1</title> <script>$v2</script> </head> the variable $v1 would be transformed in one way and $v2 in another. The idea is to eliminate the need for any manual work, which would allow for fool-proof defence against XSS attacks. This has already been done elsewhere: http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html My thinking is to implement the above by modifying templates on-the-fly, adding an appropriate wrapper for every encountered reference. Is there a way to register a callback with Velocity to be invoked whenever a template is retrieved? I am sending this email because I am not involved with the Velocity community, yet there could be things that I am missing. Perhaps this sort of thing was previously implemented somewhere or perhaps there is an easier way. -- Ivan Ristic ModSecurity Handbook [http://www.modsecurityhandbook.com] SSL Labs [https://www.ssllabs.com/ssldb/] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
