The logic how to transform each reference still needs to be somewhere. I think the easiest way is to use the Escape tool and then wrap references like $v1 --> $esc.html($v1)
http://velocity.apache.org/tools/devel/generic/EscapeTool.html Ivan Ristic wrote: > > I am considering implementing context-aware escaping in Velocity. For > example, in the following snippet: > > <html> > <head> > <title>$v1</title> > <script>$v2</script> > </head> > > the variable $v1 would be transformed in one way and $v2 in another. > The idea is to eliminate the need for any manual work, which would > allow for fool-proof defence against XSS attacks. > -- View this message in context: http://old.nabble.com/Context-aware-escaping-in-Velocity-tp28312990p28324408.html Sent from the Velocity - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org