I made a try in this direction in 2002... See http://markmail.org/thread/tqmumbqpuopzxcy3
Of course, all this code would have to be review... I don't know if there is still something interesting in it, but maybe you could check the approach I took at this time. Claude On mer., 2010-04-21 at 09:14 +0100, Ivan Ristic wrote: > [Note: I am sending this email for the second time because, > apparently, the first email did not make it to the list. Apologies if > it did.] > > I am considering implementing context-aware escaping in Velocity. For > example, in the following snippet: > > <html> > <head> > <title>$v1</title> > <script>$v2</script> > </head> > > the variable $v1 would be transformed in one way and $v2 in another. > The idea is to eliminate the need for any manual work, which would > allow for fool-proof defence against XSS attacks. > > This has already been done elsewhere: > > > http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html > > My thinking is to implement the above by modifying templates > on-the-fly, adding an appropriate wrapper for every encountered > reference. Is there a way to register a callback with Velocity to be > invoked whenever a template is retrieved? > > I am sending this email because I am not involved with the Velocity > community, yet there could be things that I am missing. Perhaps this > sort of thing was previously implemented somewhere or perhaps there is > an easier way. > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
