You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by Ed Yu <ek...@asgnet.psc.sc.edu> on 2002/07/15 15:43:39 UTC

HTML escape sequence filtering (is there a tool for that?)

I'm looking into JSP migration to Velocity. There is one feature that
the <bean:write ... filter="true"> tag offer, the ability to filer
special html characters (<, >, &, etc...). Currently is there a "tool"
to perform such filtering?

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Ed Yu, IBM Certified Specialist - AIX System Administrator
Information Technology Manager,
University of South Carolina,
Advanced Solutions Group, Physics Dept.,
Columbia, SC 29208
Office (803)777-8831, FAX (803)777-8833, Email ekyu@asgnet.psc.sc.edu


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: HTML escape sequence filtering (is there a tool for that?)

Posted by Gabriel Sidler <si...@teamup.ch>.

Ed Yu wrote:

> I'm looking into JSP migration to Velocity. There is one feature that
> the <bean:write ... filter="true"> tag offer, the ability to filer
> special html characters (<, >, &, etc...). Currently is there a "tool"
> to perform such filtering?


The LinkTool of VelocityStruts supports URL encoding of query parameters.
See http://www.teamup.com/jakarta-velocity-tools/struts/docs/LinkTool.html

But that's probably not exactly what you are looking for...

Gabriel





> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Ed Yu, IBM Certified Specialist - AIX System Administrator
> Information Technology Manager,
> University of South Carolina,
> Advanced Solutions Group, Physics Dept.,
> Columbia, SC 29208
> Office (803)777-8831, FAX (803)777-8833, Email ekyu@asgnet.psc.sc.edu
> 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 
> .
> 
> 


-- 
--
Gabriel Sidler
Software Engineer, Eivycom GmbH, Zurich, Switzerland


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: HTML escape sequence filtering (is there a tool for that?)

Posted by "Geir Magnusson Jr." <ge...@adeptra.com>.

On 7/15/02 3:30 PM, "Geir Magnusson Jr." <ge...@adeptra.com> wrote:

> On 7/15/02 1:38 PM, "Jon Scott Stevens" <jo...@latchkey.com> wrote:
> 
>> on 7/15/02 6:43 AM, "Ed Yu" <ek...@asgnet.psc.sc.edu> wrote:
>> 
>>> I'm looking into JSP migration to Velocity. There is one feature that
>>> the <bean:write ... filter="true"> tag offer, the ability to filer
>>> special html characters (<, >, &, etc...). Currently is there a "tool"
>>> to perform such filtering?
>> 
>> Even better than Geir's suggestion (which is terribly not MVC
> 
> I'll beg to differ.  I think that this is just fine MVC as this is a view
> issue - if the data is to be XML encoded vs URL encoded vs translated to
> spanish vs translated to Klingon vs... That, to me, is a view thing.
> Otherwise you have to teach your model about presentation.
> 

Just to be clear - re-reading this, in the case of language, I am unsure
about if the translation should be here or elsehwere - it probably belongs
elsehwere, as that's data.


However, I still think that this kind of view-specific encoding (the XML) is
just fine here....

>> and prone to
>> mistakes...what if you forget to filter some user supplied data? You then
>> have a cross site scripting hole)
> 
> This I agree with 100% :)
> 
>> ...is to write a ReferenceInsertionFilter
>> to do what you want...
>> 
>> <http://scarab.tigris.org/source/browse/scarab/src/java/org/tigris/scarab/ut
>> il/ReferenceInsertionFilter.java?rev=1.11&content-type=text/x-cvsweb-markup>
>> 
> 
> And yes, for the non-lazy that want to do it right, this is great.

-- 
Geir Magnusson Jr. 
Research & Development, Adeptra Inc.
geirm@adeptra.com
+1-203-247-1713



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: HTML escape sequence filtering (is there a tool for that?)

Posted by "Geir Magnusson Jr." <ge...@adeptra.com>.

On 7/15/02 1:38 PM, "Jon Scott Stevens" <jo...@latchkey.com> wrote:

> on 7/15/02 6:43 AM, "Ed Yu" <ek...@asgnet.psc.sc.edu> wrote:
> 
>> I'm looking into JSP migration to Velocity. There is one feature that
>> the <bean:write ... filter="true"> tag offer, the ability to filer
>> special html characters (<, >, &, etc...). Currently is there a "tool"
>> to perform such filtering?
> 
> Even better than Geir's suggestion (which is terribly not MVC

I'll beg to differ.  I think that this is just fine MVC as this is a view
issue - if the data is to be XML encoded vs URL encoded vs translated to
spanish vs translated to Klingon vs... That, to me, is a view thing.
Otherwise you have to teach your model about presentation.

> and prone to
> mistakes...what if you forget to filter some user supplied data? You then
> have a cross site scripting hole)

This I agree with 100% :)

>...is to write a ReferenceInsertionFilter
> to do what you want...
> 
> <http://scarab.tigris.org/source/browse/scarab/src/java/org/tigris/scarab/ut
> il/ReferenceInsertionFilter.java?rev=1.11&content-type=text/x-cvsweb-markup>
> 

And yes, for the non-lazy that want to do it right, this is great.

-- 
Geir Magnusson Jr. 
Research & Development, Adeptra Inc.
geirm@adeptra.com
+1-203-247-1713



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: HTML escape sequence filtering (is there a tool for that?)

Posted by Jon Scott Stevens <jo...@latchkey.com>.

on 7/15/02 6:43 AM, "Ed Yu" <ek...@asgnet.psc.sc.edu> wrote:

> I'm looking into JSP migration to Velocity. There is one feature that
> the <bean:write ... filter="true"> tag offer, the ability to filer
> special html characters (<, >, &, etc...). Currently is there a "tool"
> to perform such filtering?

Even better than Geir's suggestion (which is terribly not MVC and prone to
mistakes...what if you forget to filter some user supplied data? You then
have a cross site scripting hole)...is to write a ReferenceInsertionFilter
to do what you want...

<http://scarab.tigris.org/source/browse/scarab/src/java/org/tigris/scarab/ut
il/ReferenceInsertionFilter.java?rev=1.11&content-type=text/x-cvsweb-markup>

-jon


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: HTML escape sequence filtering (is there a tool for that?)

Posted by "Geir Magnusson Jr." <ge...@adeptra.com>.

On 7/15/02 9:43 AM, "Ed Yu" <ek...@asgnet.psc.sc.edu> wrote:

> I'm looking into JSP migration to Velocity. There is one feature that
> the <bean:write ... filter="true"> tag offer, the ability to filer
> special html characters (<, >, &, etc...). Currently is there a "tool"
> to perform such filtering?
> 

Being fundamentally lazy, I just tend to do this :


 vc.put("xmltool", new org.apache.velocity.anakia.Escape());


:)
-- 
Geir Magnusson Jr. 
Research & Development, Adeptra Inc.
geirm@adeptra.com
+1-203-247-1713



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>