Can't you use a ReferenceInsertionEventHandler? We have ready-made ones for escaping output.
On Wed, Apr 21, 2010 at 1:14 AM, Ivan Ristic <[email protected]> wrote: > [Note: I am sending this email for the second time because, > apparently, the first email did not make it to the list. Apologies if > it did.] > > I am considering implementing context-aware escaping in Velocity. For > example, in the following snippet: > > <html> > <head> > <title>$v1</title> > <script>$v2</script> > </head> > > the variable $v1 would be transformed in one way and $v2 in another. > The idea is to eliminate the need for any manual work, which would > allow for fool-proof defence against XSS attacks. > > This has already been done elsewhere: > > > http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html > > My thinking is to implement the above by modifying templates > on-the-fly, adding an appropriate wrapper for every encountered > reference. Is there a way to register a callback with Velocity to be > invoked whenever a template is retrieved? > > I am sending this email because I am not involved with the Velocity > community, yet there could be things that I am missing. Perhaps this > sort of thing was previously implemented somewhere or perhaps there is > an easier way. > > -- > Ivan Ristic > ModSecurity Handbook [http://www.modsecurityhandbook.com] > SSL Labs [https://www.ssllabs.com/ssldb/] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
