On Wed, Apr 21, 2010 at 3:24 PM, Nathan Bubna <nbu...@gmail.com> wrote: > Can't you use a ReferenceInsertionEventHandler? We have ready-made > ones for escaping output.
No, I don't think I can, because I need to use different escaping methods depending on the exact position of every insertion point (in the template). > On Wed, Apr 21, 2010 at 1:14 AM, Ivan Ristic <ivan.ris...@gmail.com> wrote: >> [Note: I am sending this email for the second time because, >> apparently, the first email did not make it to the list. Apologies if >> it did.] >> >> I am considering implementing context-aware escaping in Velocity. For >> example, in the following snippet: >> >> <html> >> <head> >> <title>$v1</title> >> <script>$v2</script> >> </head> >> >> the variable $v1 would be transformed in one way and $v2 in another. >> The idea is to eliminate the need for any manual work, which would >> allow for fool-proof defence against XSS attacks. >> >> This has already been done elsewhere: >> >> >> http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html >> >> My thinking is to implement the above by modifying templates >> on-the-fly, adding an appropriate wrapper for every encountered >> reference. Is there a way to register a callback with Velocity to be >> invoked whenever a template is retrieved? >> >> I am sending this email because I am not involved with the Velocity >> community, yet there could be things that I am missing. Perhaps this >> sort of thing was previously implemented somewhere or perhaps there is >> an easier way. >> >> -- >> Ivan Ristic >> ModSecurity Handbook [http://www.modsecurityhandbook.com] >> SSL Labs [https://www.ssllabs.com/ssldb/] >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org >> For additional commands, e-mail: dev-h...@velocity.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org > For additional commands, e-mail: dev-h...@velocity.apache.org > > -- Ivan Ristic ModSecurity Handbook [http://www.modsecurityhandbook.com] SSL Labs [https://www.ssllabs.com/ssldb/] --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
