velocity-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Bubna <nbu...@gmail.com>
Subject Re: Escaping HTML with Velocity Layout Servlet
Date Thu, 05 Feb 2009 00:40:04 GMT
Ok, i tried this, and it turns out that /^screen_content/ matches the
$screen_content reference specifically.  In Perl regex (which is used
here via the Jakarta Oro lib), ^ denotes the start of a line unless it
is used in a class definition like [^a-z], in which case it negates
the class.

http://www.rexswain.com/perl5.html#regular

I'm actually not sure how to write an expression that matches
everything but $screen_content, expect perhaps /^[^_]+$/ (which would
match anything that didn't have a _ in it.  Not ideal, but i'm drawing
a blank on other ways to achieve this.  If there's no way to define an
entirely negated regex, then we should perhaps consider adding a
property like:

eventhandler.escape.html.match.except

or something like that.

P.S.  I just noticed that this conversation is on the general@ list.
This would be better on the user@ list (where there are more people
watching).

On Wed, Feb 4, 2009 at 12:46 PM, dcreed97@yahoo.com <dcreed97@yahoo.com> wrote:
> Hi Nathan - thanks.  Any one have any additional thoughts on this?  Beginning to believe
that without writing my own plugin to Velocity escaping HTML in Velocity Layout Servlet is
impossible (short of putting in some sort of escape tag).
>
> Thanks,
>
> Dave
>
> --- On Mon, 2/2/09, Nathan Bubna <nbubna@gmail.com> wrote:
>
>> From: Nathan Bubna <nbubna@gmail.com>
>> Subject: Re: Escaping HTML with Velocity Layout Servlet
>> To: "general" <general@velocity.apache.org>, "dcreed97" <dcreed97@yahoo.com>
>> Date: Monday, February 2, 2009, 1:14 PM
>> Hmm.  That's odd that nothing gets escaped in the screen
>> when you set
>> "eventhandler.escape.html.match to
>> /^screen_content/".  I'll have to
>> try this out myself, as i'm fairly sure that should
>> have done the
>> trick.
>>
>> 2009/1/29 dcreed97@yahoo.com <dcreed97@yahoo.com>:
>> > Hi -
>> >
>> > I couldn't find an answer to this in the list
>> archives or with general web search.  I am trying to escape
>> HTML when displaying user entered data for typical usual
>> reasons of not having my app open to CSS attack.
>> >
>> > I have setup the EscapeHtmlReference code and it works
>> fine, but the issue is that using the layout servlet, it
>> appears that html escaping tool either escapes the entire
>> $screen_content value or, by setting
>> eventhandler.escape.html.match to /^screen_content/, none of
>> it.  It appears that the tool isn't aware (or
>> doesn't have visibility into) of the pre merged state of
>> everything below $screen_content, and so merges everything
>> and then escapes everything in $screen_content.
>> >
>> > Is there an HTML reference escaper that is aware of
>> layouts and can properly handle this situation (i.e.,
>> don't just escape $screen_content - escape everything in
>> the template content).
>> >
>> > Thank you for any thoughts,
>> >
>> > Dave
>> >
>> >
>> >
>> >
>> >
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail:
>> general-unsubscribe@velocity.apache.org
>> > For additional commands, e-mail:
>> general-help@velocity.apache.org
>> >
>> >
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
> For additional commands, e-mail: general-help@velocity.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
For additional commands, e-mail: general-help@velocity.apache.org


Mime
View raw message