velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Glass-Husain" <>
Subject Re: security audit
Date Fri, 30 May 2003 17:14:48 GMT

Great comments!  I'll definitely write up a summary in a few days.

I forgot one more important security issue -- cross-site scripting vulnerabilities.

Anytime you display text that derives from user input on the velocity page, you need to escape
all the HTML characters (&, <, >, ").  Otherwise a malicious end user can insert
javascript that displays on a third user's browser window.    Here's a short article on the

The solution is to write a tool that substitutes the characters and always use it to display
user input.

For added convenience, make a similar method that changes carraige returns to <br>'s
for greater readability.  If anyone wants sample code for a tool that does this, let me know.


P.S.   Didn't mean to start a flame war re: the developers.  But reading the dev-lists, it
does seem like the committers (with the exception of Nathan) have moved on to other projects
and haven't had much time to devote to Velocity in the last year.  There's a number of questions
and proposals on the velocity-dev list that go into a near vacuum.  Also, my impression (perhaps
erroneous) is that very few patches by non-committer contributors have made it into the core.
 (which is a dis-incentive to contribute).  As always, I'm very happy to have such a great
tool to work with, and appreciate all the efforts from Geir, Jon, Daniel, Nathan and others
in the past.

Forio Business Simulations
Will Glass-Husain
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message