velocity-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Brisson <>
Subject Re: A web page security enhancement demo patch
Date Fri, 06 Feb 2009 09:48:49 GMT
[please use user@velocity.apache.or

There are several ways to ease the escaping process. You can create a
ReferenceInsertionEventHandler filter that will escape all critical
references, based on whatever criteria you need - for instance, the
filter can be initialized with a text file containing critical reference
names (or regex), and automatically apply filtering on them.


On ven, 2009-02-06 at 12:45 +0800, Leon sdh5724 wrote:
> Dear Devs,
>      Velocity is a great opensource component for weg page render. We
> deploy it  on our site that render dynamic web pages more than 1
> billion pages everyday. But velocity have no security protected xss +
> csrf attack. Every render reference point need programmer writing code
> as "$stringEscapedUtil.escapedHtml($ref)". But the such code will be
> forgoten by programmer, especialy a newbie.  So  security can not be
> handled at every output. 
>     Infact, every web page output need to be html encode , about more
> than 90%. The best solution we shuold do html encode for every output
> refrence with default.Some spec Macro directive left 10% content
> output.   The attachment is my demo code (Infact we have deploy it in
> our product enviroment).  The code implementation is very ugly, but
> bring us security sophisticated. Maybe it can bring Velocity Dev Team
> some idea on web security.  
>     Sorry for my code's coment writing in chinese. I think the code is
> very simple.  I explain it now:
>     1. html/xml encode part, I copy it from apache commons component,
> and rewrite it for performace issue and remove encode for non-ascii
> unicode. Encode all unicode chars are not wize , cause more large web
> page and cause debug problem.
>     2. I implement xml/html/javascript/XSS filtter.  I think Xss
> filter shuold be optional, because it has many security rules. 
>   It is ONLY a adive.
> Leon Liu
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message