Ah, in my haste i read "context-aware" and assumed by "context" you meant a Context, not template-position. We even have an org.apache.velocity.util.ContextAware interface for event handlers. So you will confuse people around here by using that term otherwise. :)
And no, there's no extension hooks for the sort of thing you have in mind globally in a template. You might be able to create a userdirective that might then be able to access to the node tree of the body and walk through that making adjustments. Really not sure though how best to do it. You may have to hack your own Velocity build. On Wed, Apr 21, 2010 at 7:50 AM, Ivan Ristic <ivan.ris...@gmail.com> wrote: > On Wed, Apr 21, 2010 at 3:24 PM, Nathan Bubna <nbu...@gmail.com> wrote: >> Can't you use a ReferenceInsertionEventHandler? We have ready-made >> ones for escaping output. > > No, I don't think I can, because I need to use different escaping > methods depending on the exact position of every insertion point (in > the template). > > >> On Wed, Apr 21, 2010 at 1:14 AM, Ivan Ristic <ivan.ris...@gmail.com> wrote: >>> [Note: I am sending this email for the second time because, >>> apparently, the first email did not make it to the list. Apologies if >>> it did.] >>> >>> I am considering implementing context-aware escaping in Velocity. For >>> example, in the following snippet: >>> >>> <html> >>> <head> >>> <title>$v1</title> >>> <script>$v2</script> >>> </head> >>> >>> the variable $v1 would be transformed in one way and $v2 in another. >>> The idea is to eliminate the need for any manual work, which would >>> allow for fool-proof defence against XSS attacks. >>> >>> This has already been done elsewhere: >>> >>> >>> http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html >>> >>> My thinking is to implement the above by modifying templates >>> on-the-fly, adding an appropriate wrapper for every encountered >>> reference. Is there a way to register a callback with Velocity to be >>> invoked whenever a template is retrieved? >>> >>> I am sending this email because I am not involved with the Velocity >>> community, yet there could be things that I am missing. Perhaps this >>> sort of thing was previously implemented somewhere or perhaps there is >>> an easier way. >>> >>> -- >>> Ivan Ristic >>> ModSecurity Handbook [http://www.modsecurityhandbook.com] >>> SSL Labs [https://www.ssllabs.com/ssldb/] >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org >>> For additional commands, e-mail: dev-h...@velocity.apache.org >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org >> For additional commands, e-mail: dev-h...@velocity.apache.org >> >> > > > > -- > Ivan Ristic > ModSecurity Handbook [http://www.modsecurityhandbook.com] > SSL Labs [https://www.ssllabs.com/ssldb/] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org > For additional commands, e-mail: dev-h...@velocity.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
