velocity-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Bubna <>
Subject Re: Escaping HTML with Velocity Layout Servlet
Date Mon, 02 Feb 2009 18:14:57 GMT
Hmm.  That's odd that nothing gets escaped in the screen when you set
"eventhandler.escape.html.match to /^screen_content/".  I'll have to
try this out myself, as i'm fairly sure that should have done the

2009/1/29 <>:
> Hi -
> I couldn't find an answer to this in the list archives or with general web search.  I
am trying to escape HTML when displaying user entered data for typical usual reasons of not
having my app open to CSS attack.
> I have setup the EscapeHtmlReference code and it works fine, but the issue is that using
the layout servlet, it appears that html escaping tool either escapes the entire $screen_content
value or, by setting eventhandler.escape.html.match to /^screen_content/, none of it.  It
appears that the tool isn't aware (or doesn't have visibility into) of the pre merged state
of everything below $screen_content, and so merges everything and then escapes everything
in $screen_content.
> Is there an HTML reference escaper that is aware of layouts and can properly handle this
situation (i.e., don't just escape $screen_content - escape everything in the template content).
> Thank you for any thoughts,
> Dave
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message