velocity-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "dcreed97@yahoo.com" <dcree...@yahoo.com>
Subject Escaping HTML with Velocity Layout Servlet
Date Thu, 29 Jan 2009 16:09:41 GMT
Hi - 

I couldn't find an answer to this in the list archives or with general web search.  I am trying
to escape HTML when displaying user entered data for typical usual reasons of not having my
app open to CSS attack.  

I have setup the EscapeHtmlReference code and it works fine, but the issue is that using the
layout servlet, it appears that html escaping tool either escapes the entire $screen_content
value or, by setting eventhandler.escape.html.match to /^screen_content/, none of it.  It
appears that the tool isn't aware (or doesn't have visibility into) of the pre merged state
of everything below $screen_content, and so merges everything and then escapes everything
in $screen_content.

Is there an HTML reference escaper that is aware of layouts and can properly handle this situation
(i.e., don't just escape $screen_content - escape everything in the template content).

Thank you for any thoughts,

Dave


      

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
For additional commands, e-mail: general-help@velocity.apache.org


Mime
View raw message