velocity-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Byron Foster <>
Subject Re: A web page security enhancement demo patch
Date Fri, 06 Feb 2009 10:14:30 GMT
On Feb 5, 2009, at 21:45 , Leon sdh5724 wrote:

> Dear Devs,
>      Velocity is a great opensource component for weg page render.  
> We deploy it  on our site that render dynamic web pages more than 1  
> billion pages everyday.

Wow, 1 Billion... That's traffic.

> But velocity have no security protected xss + csrf attack. Every  
> render reference point need programmer writing code as  
> "$stringEscapedUtil.escapedHtml($ref)". But the such code will be  
> forgoten by programmer, especialy a newbie.  So  security can not be  
> handled at every output.
>     Infact, every web page output need to be html encode , about  
> more than 90%. The best solution we shuold do html encode for every  
> output refrence with default.Some spec Macro directive left 10%  
> content output.
>   The attachment is my demo code (Infact we have deploy it in our  
> product enviroment).  The code implementation is very ugly, but  
> bring us security sophisticated. Maybe it can bring Velocity Dev  
> Team some idea on web security.
>     Sorry for my code's coment writing in chinese. I think the code  
> is very simple.  I explain it now:
>     1. html/xml encode part, I copy it from apache commons  
> component, and rewrite it for performace issue and remove encode for  
> non-ascii unicode. Encode all unicode chars are not wize , cause  
> more large web page and cause debug problem.

But it looks like you do escape many non-ascii unicode characters in  
the case of HTML40 which includes the arrays ISO8859_1_ARRAY and  
HTML40_ARRAY.   Any reason why you escape these?

Anway, thanks for sharing.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message