Thanks, greatly appreciated. Eric
On Thu, Aug 21, 2008 at 12:27 PM, Martijn Brinkers (List) < [EMAIL PROTECTED]> wrote: > It's not typical to html escape input. HTML is about presentation and > most input is just input. In other words, you want to HTML escape just > before presenting the input to the user but not store the input escaped > (at least I think that's what most applications use). > > Tapestry does already HTML escape all output unless you render the data > raw on purpose. There are however a few things that should be careful > of. If you dynamically add some Javascript based on user input (using a > Mixin for example) you should make sure that the user input cannot > 'escape' the quotes of your Javascript code because that would create a > possible XSS vulnerability. > > Martijn > > On Thu, 2008-08-21 at 12:12 -0600, Eric Rogers wrote: > > Hello Howard, > > > > Does Tapestry provide any way to do this on input, even if it is just for > > all form data that is submitted? Perhaps being able to wire an > interceptor > > of some form in? > > > > Thanks, > > > > Eric > > > > > > On Thu, Aug 21, 2008 at 11:57 AM, Eric Rogers <[EMAIL PROTECTED]> > wrote: > > > > > Hello Howard, > > > > > > Thanks for the information. > > > > > > Thanks, > > > > > > Eric > > > > > > > > > > > > On Tue, Aug 19, 2008 at 1:18 PM, Howard Lewis Ship <[EMAIL PROTECTED] > >wrote: > > > > > >> Tapestry mostly captures this on the output side; that is, when you > > >> output a string (using, say ${property} expansion), the output is > > >> filtered; the key HTML entities, "<", "&" and ">", are converted to > > >> proper entities: "<", etc. > > >> > > >> On Tue, Aug 19, 2008 at 11:11 AM, Eric Rogers <[EMAIL PROTECTED]> > > >> wrote: > > >> > Hello All, > > >> > > > >> > I am using Tapestry 5.0.14 and am looking to filter input in my > Tapestry > > >> > application for characters related to cross-site scripting. Some > input > > >> is > > >> > from regular form submission, while other input is received using > AJAX > > >> event > > >> > listeners and JSON. I realize that one can use a custom translator > to > > >> scrub > > >> > any unwanted characters from input for a given field. However, I > was > > >> > wondering if anyone has come across a more general pattern or > strategy > > >> to do > > >> > this for both form and JSON input without having to explicitly > define a > > >> > translator for form fields, and manually call some method to do the > same > > >> for > > >> > a JSONObject. > > >> > > > >> > Thanks, > > >> > > > >> > Eric > > >> > > > >> > > >> > > >> > > >> -- > > >> Howard M. Lewis Ship > > >> > > >> Creator Apache Tapestry and Apache HiveMind > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > > >> For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > >> > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >