velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Bubna" <nat...@esha.com>
Subject Re: security audit
Date Fri, 30 May 2003 17:38:01 GMT
Will Glass-Husain said:
> I forgot one more important security issue -- cross-site scripting
vulnerabilities.
>
> Anytime you display text that derives from user input on the velocity page,
you
> need to escape all the HTML characters (&, <, >, ").
...
> The solution is to write a tool that substitutes the characters and always use
it
> to display user input.
>    $HTMLMultiLine.escape($textfromuser)

or you could do the escaping substitution upon input of any text from users.
IMHO, that is the cleaner solution; i'd avoid doing this in the template if at
all possible, but if you must do it in template...

Nathan Bubna
nathan@esha.com


---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message