velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Glass-Husain" <wgl...@forio.com>
Subject Re: security audit
Date Fri, 30 May 2003 17:14:48 GMT
Hi,

Great comments!  I'll definitely write up a summary in a few days.

I forgot one more important security issue -- cross-site scripting vulnerabilities.

Anytime you display text that derives from user input on the velocity page, you need to escape
all the HTML characters (&, <, >, ").  Otherwise a malicious end user can insert
javascript that displays on a third user's browser window.    Here's a short article on the
problem.
http://msdn.microsoft.com/workshop/author/dhtml/sec_dhtml.asp#xsite

The solution is to write a tool that substitutes the characters and always use it to display
user input.
    $HTMLMultiLine.escape($textfromuser)

For added convenience, make a similar method that changes carraige returns to <br>'s
for greater readability.  If anyone wants sample code for a tool that does this, let me know.
    $HTMLMultiLine.escapeMultiLine($textfromuser)

WILL

P.S.   Didn't mean to start a flame war re: the developers.  But reading the dev-lists, it
does seem like the committers (with the exception of Nathan) have moved on to other projects
and haven't had much time to devote to Velocity in the last year.  There's a number of questions
and proposals on the velocity-dev list that go into a near vacuum.  Also, my impression (perhaps
erroneous) is that very few patches by non-committer contributors have made it into the core.
 (which is a dis-incentive to contribute).  As always, I'm very happy to have such a great
tool to work with, and appreciate all the efforts from Geir, Jon, Daniel, Nathan and others
in the past.


_______________________________________
Forio Business Simulations
Will Glass-Husain


wglass@forio.com
www.forio.com
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message