Actually, we don't really want to be putting those escapes into the
velocity macros in the trunk anymore. The better solution is to escape
that data in the pojo wrappers so that it's guaranteed to be escaped in
templates no matter what people do.
I have already done that for the comment pojo wrapper, but we should
probably do a general audit of all the pojo wrappers and add those html
escape calls to all places where it makes sense.
-- Allen
snoopdave@apache.org wrote:
> Author: snoopdave
> Date: Fri May 18 13:08:18 2007
> New Revision: 539584
>
> URL: http://svn.apache.org/viewvc?view=rev&rev=539584
> Log:
> Oops, we missed this comment field when we added XSS preventing escapeing
>
> Modified:
> roller/trunk/web/WEB-INF/velocity/weblog.vm
>
> Modified: roller/trunk/web/WEB-INF/velocity/weblog.vm
> URL: http://svn.apache.org/viewvc/roller/trunk/web/WEB-INF/velocity/weblog.vm?view=diff&rev=539584&r1=539583&r2=539584
> ==============================================================================
> --- roller/trunk/web/WEB-INF/velocity/weblog.vm (original)
> +++ roller/trunk/web/WEB-INF/velocity/weblog.vm Fri May 18 13:08:18 2007
> @@ -196,7 +196,7 @@
> <p class="comment-details">
> $text.get("macro.weblog.postedby")
> #if (!$utils.isEmpty($comment.name) && !$utils.isEmpty($comment.url))
> - <a rel="nofollow" href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
> + <a rel="nofollow" href="$utils.escapeHTML($comment.url)"><b>$utils.escapeHTML($comment.name)</b></a>
> #elseif (!$utils.isEmpty($comment.name))
> <b>$utils.escapeHTML($comment.name)</b>
> #elseif ($comment.remoteHost)
>
>
|