Thanks, greatly appreciated.
Eric
On Thu, Aug 21, 2008 at 12:27 PM, Martijn Brinkers (List) <
[EMAIL PROTECTED]> wrote:
> It's not typical to html escape input. HTML is about presentation and
> most input is just input. In other words, you want to HTML escape just
> before presenting the input to the user but not store the input escaped
> (at least I think that's what most applications use).
>
> Tapestry does already HTML escape all output unless you render the data
> raw on purpose. There are however a few things that should be careful
> of. If you dynamically add some Javascript based on user input (using a
> Mixin for example) you should make sure that the user input cannot
> 'escape' the quotes of your Javascript code because that would create a
> possible XSS vulnerability.
>
> Martijn
>
> On Thu, 2008-08-21 at 12:12 -0600, Eric Rogers wrote:
> > Hello Howard,
> >
> > Does Tapestry provide any way to do this on input, even if it is just for
> > all form data that is submitted? Perhaps being able to wire an
> interceptor
> > of some form in?
> >
> > Thanks,
> >
> > Eric
> >
> >
> > On Thu, Aug 21, 2008 at 11:57 AM, Eric Rogers <[EMAIL PROTECTED]>
> wrote:
> >
> > > Hello Howard,
> > >
> > > Thanks for the information.
> > >
> > > Thanks,
> > >
> > > Eric
> > >
> > >
> > >
> > > On Tue, Aug 19, 2008 at 1:18 PM, Howard Lewis Ship <[EMAIL PROTECTED]
> >wrote:
> > >
> > >> Tapestry mostly captures this on the output side; that is, when you
> > >> output a string (using, say ${property} expansion), the output is
> > >> filtered; the key HTML entities, "<", "&" and ">", are converted to
> > >> proper entities: "<", etc.
> > >>
> > >> On Tue, Aug 19, 2008 at 11:11 AM, Eric Rogers <[EMAIL PROTECTED]>
> > >> wrote:
> > >> > Hello All,
> > >> >
> > >> > I am using Tapestry 5.0.14 and am looking to filter input in my
> Tapestry
> > >> > application for characters related to cross-site scripting. Some
> input
> > >> is
> > >> > from regular form submission, while other input is received using
> AJAX
> > >> event
> > >> > listeners and JSON. I realize that one can use a custom translator
> to
> > >> scrub
> > >> > any unwanted characters from input for a given field. However, I
> was
> > >> > wondering if anyone has come across a more general pattern or
> strategy
> > >> to do
> > >> > this for both form and JSON input without having to explicitly
> define a
> > >> > translator for form fields, and manually call some method to do the
> same
> > >> for
> > >> > a JSONObject.
> > >> >
> > >> > Thanks,
> > >> >
> > >> > Eric
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Howard M. Lewis Ship
> > >>
> > >> Creator Apache Tapestry and Apache HiveMind
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> > >> For additional commands, e-mail: [EMAIL PROTECTED]
> > >>
> > >>
> > >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
