velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Bubna" <>
Subject Re: security audit
Date Fri, 30 May 2003 17:38:01 GMT
Will Glass-Husain said:
> I forgot one more important security issue -- cross-site scripting
> Anytime you display text that derives from user input on the velocity page,
> need to escape all the HTML characters (&, <, >, ").
> The solution is to write a tool that substitutes the characters and always use
> to display user input.
>    $HTMLMultiLine.escape($textfromuser)

or you could do the escaping substitution upon input of any text from users.
IMHO, that is the cleaner solution; i'd avoid doing this in the template if at
all possible, but if you must do it in template...

Nathan Bubna

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message