Freddy D. wrote:
> The way I understood it is that although allowing markup in a
> message is often not a good idea, it shouldn't be impossible
> either, e.g. if you're running a blog that allows commenters
> to use markup.
>
> I don't know if adding a method to switch on encoding is
> necessary, when you can simply do:
>
> ctx.getMessages().add(new SimpleMessage(
> "Record ''{0}'' deleted", HtmlUtil.encode(recordName)));
^^^^^^^^
I didn't know about that method...
> What do you think?
In light of the above, I think it just calls for a note in the docs:
"If you are passing user-supplied input into the error and message
classes, make sure you encode them with HtmlUtil.encode(), otherwise you
are leaving yourself vulnerable to XSS attacks."
--
Alan Burlison
--
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
