The logic how to transform each reference still needs to be somewhere. I
think the easiest way is to use the Escape tool and then wrap references
like $v1 --> $esc.html($v1)

http://velocity.apache.org/tools/devel/generic/EscapeTool.html


Ivan Ristic wrote:
> 
> I am considering implementing context-aware escaping in Velocity. For
> example, in the following snippet:
> 
>    <html>
>    <head>
>    <title>$v1</title>
>    <script>$v2</script>
>    </head>
> 
> the variable $v1 would be transformed in one way and $v2 in another.
> The idea is to eliminate the need for any manual work, which would
> allow for fool-proof defence against XSS attacks.
> 

-- 
View this message in context: 
http://old.nabble.com/Context-aware-escaping-in-Velocity-tp28312990p28324408.html
Sent from the Velocity - Dev mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to