velocity-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Bubna <nbu...@gmail.com>
Subject Re: Escaping HTML with Velocity Layout Servlet
Date Mon, 02 Feb 2009 18:14:57 GMT
Hmm.  That's odd that nothing gets escaped in the screen when you set
"eventhandler.escape.html.match to /^screen_content/".  I'll have to
try this out myself, as i'm fairly sure that should have done the
trick.

2009/1/29 dcreed97@yahoo.com <dcreed97@yahoo.com>:
> Hi -
>
> I couldn't find an answer to this in the list archives or with general web search.  I
am trying to escape HTML when displaying user entered data for typical usual reasons of not
having my app open to CSS attack.
>
> I have setup the EscapeHtmlReference code and it works fine, but the issue is that using
the layout servlet, it appears that html escaping tool either escapes the entire $screen_content
value or, by setting eventhandler.escape.html.match to /^screen_content/, none of it.  It
appears that the tool isn't aware (or doesn't have visibility into) of the pre merged state
of everything below $screen_content, and so merges everything and then escapes everything
in $screen_content.
>
> Is there an HTML reference escaper that is aware of layouts and can properly handle this
situation (i.e., don't just escape $screen_content - escape everything in the template content).
>
> Thank you for any thoughts,
>
> Dave
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
> For additional commands, e-mail: general-help@velocity.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
For additional commands, e-mail: general-help@velocity.apache.org


Mime
View raw message