velocity-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leon sdh5724 <sdh5...@gmail.com>
Subject A web page security enhancement demo patch
Date Fri, 06 Feb 2009 04:45:31 GMT
Dear Devs,
     Velocity is a great opensource component for weg page render. We deploy
it  on our site that render dynamic web pages more than 1 billion pages
everyday. But velocity have no security protected xss + csrf attack. Every
render reference point need programmer writing code as
"$stringEscapedUtil.escapedHtml($ref)". But the such code will be forgoten
by programmer, especialy a newbie.  So  security can not be handled at every
output.
    Infact, every web page output need to be html encode , about more than
90%. The best solution we shuold do html encode for every output refrence
with default.Some spec Macro directive left 10% content output.   The
attachment is my demo code (Infact we have deploy it in our product
enviroment).  The code implementation is very ugly, but bring us security
sophisticated. Maybe it can bring Velocity Dev Team some idea on web
security.
    Sorry for my code's coment writing in chinese. I think the code is very
simple.  I explain it now:
    1. html/xml encode part, I copy it from apache commons component, and
rewrite it for performace issue and remove encode for non-ascii unicode.
Encode all unicode chars are not wize , cause more large web page and cause
debug problem.
    2. I implement xml/html/javascript/XSS filtter.  I think Xss filter
shuold be optional, because it has many security rules.

  It is ONLY a adive.

Leon Liu

Mime
View raw message