velocity-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leon sdh5724 <>
Subject Re: A web page security enhancement demo patch
Date Fri, 06 Feb 2009 12:16:58 GMT
2009/2/6 Byron Foster <>

> On Feb 5, 2009, at 21:45 , Leon sdh5724 wrote:
>  Dear Devs,
>>     Velocity is a great opensource component for weg page render. We
>> deploy it  on our site that render dynamic web pages more than 1 billion
>> pages everyday.
> Wow, 1 Billion... That's traffic.yes, a big traffic.
>  But velocity have no security protected xss + csrf attack. Every render
>> reference point need programmer writing code as
>> "$stringEscapedUtil.escapedHtml($ref)". But the such code will be forgoten
>> by programmer, especialy a newbie.  So  security can not be handled at every
>> output.
>>    Infact, every web page output need to be html encode , about more than
>> 90%. The best solution we shuold do html encode for every output refrence
>> with default.Some spec Macro directive left 10% content output.
>>  The attachment is my demo code (Infact we have deploy it in our product
>> enviroment).  The code implementation is very ugly, but bring us security
>> sophisticated. Maybe it can bring Velocity Dev Team some idea on web
>> security.
>>    Sorry for my code's coment writing in chinese. I think the code is very
>> simple.  I explain it now:
>>    1. html/xml encode part, I copy it from apache commons component, and
>> rewrite it for performace issue and remove encode for non-ascii unicode.
>> Encode all unicode chars are not wize , cause more large web page and cause
>> debug problem.
> But it looks like you do escape many non-ascii unicode characters in the
> case of HTML40 which includes the arrays ISO8859_1_ARRAY and HTML40_ARRAY.
> Any reason why you escape these?

--These chars come from w3c spec. Some chars are very dangrous on windows ie
platform. Our security team require encode these chars. So I copy the chars
to my code. That's all.

> Anway, thanks for sharing.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message