On Wed, Apr 21, 2010 at 9:30 AM, Rachid <[email protected]> wrote: > Hi Ivan, > > Good to hear that there is more development on Reducing XSS in Velocity. I > did some research on it and made a tool which scans Velocity Templates and > check if every output ($v1, etc) is encoded. If not, the tool gives a > warning. Which encoding SHOULD be used is up to the programmer. So for now, > at least there is a warning given when something is not encoded. > > I also looked into Auto-Escape. Only, the drawback of it was that it escapes > ALL output. So I think there should be some addition that you can mark > variables that you don't want to get escaped.
This already exists. The EscapeReference subclasses all provide auto escaping of references and all can be configured to escape certain references and not others or to just escape everything. There are implementations for html, javascript, sql and xml. > Let me know if you want to hear more about my project. If time allows I'm > also willing to help you (At least with thoughts about the implementation). > > > Cheers, > Rachid. > > > On Wed, Apr 21, 2010 at 10:14 AM, Ivan Ristic <[email protected]> wrote: > >> [Note: I am sending this email for the second time because, >> apparently, the first email did not make it to the list. Apologies if >> it did.] >> >> I am considering implementing context-aware escaping in Velocity. For >> example, in the following snippet: >> >> <html> >> <head> >> <title>$v1</title> >> <script>$v2</script> >> </head> >> >> the variable $v1 would be transformed in one way and $v2 in another. >> The idea is to eliminate the need for any manual work, which would >> allow for fool-proof defence against XSS attacks. >> >> This has already been done elsewhere: >> >> >> http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html >> >> My thinking is to implement the above by modifying templates >> on-the-fly, adding an appropriate wrapper for every encountered >> reference. Is there a way to register a callback with Velocity to be >> invoked whenever a template is retrieved? >> >> I am sending this email because I am not involved with the Velocity >> community, yet there could be things that I am missing. Perhaps this >> sort of thing was previously implemented somewhere or perhaps there is >> an easier way. >> >> -- >> Ivan Ristic >> ModSecurity Handbook [http://www.modsecurityhandbook.com] >> SSL Labs [https://www.ssllabs.com/ssldb/] >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
