You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@velocity.apache.org by "dcreed97@yahoo.com" <dc...@yahoo.com> on 2009/01/29 17:09:41 UTC
Escaping HTML with Velocity Layout Servlet
Hi -
I couldn't find an answer to this in the list archives or with general web search. I am trying to escape HTML when displaying user entered data for typical usual reasons of not having my app open to CSS attack.
I have setup the EscapeHtmlReference code and it works fine, but the issue is that using the layout servlet, it appears that html escaping tool either escapes the entire $screen_content value or, by setting eventhandler.escape.html.match to /^screen_content/, none of it. It appears that the tool isn't aware (or doesn't have visibility into) of the pre merged state of everything below $screen_content, and so merges everything and then escapes everything in $screen_content.
Is there an HTML reference escaper that is aware of layouts and can properly handle this situation (i.e., don't just escape $screen_content - escape everything in the template content).
Thank you for any thoughts,
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
For additional commands, e-mail: general-help@velocity.apache.org
Re: Escaping HTML with Velocity Layout Servlet
Posted by Nathan Bubna <nb...@gmail.com>.
Ok, i tried this, and it turns out that /^screen_content/ matches the
$screen_content reference specifically. In Perl regex (which is used
here via the Jakarta Oro lib), ^ denotes the start of a line unless it
is used in a class definition like [^a-z], in which case it negates
the class.
http://www.rexswain.com/perl5.html#regular
I'm actually not sure how to write an expression that matches
everything but $screen_content, expect perhaps /^[^_]+$/ (which would
match anything that didn't have a _ in it. Not ideal, but i'm drawing
a blank on other ways to achieve this. If there's no way to define an
entirely negated regex, then we should perhaps consider adding a
property like:
eventhandler.escape.html.match.except
or something like that.
P.S. I just noticed that this conversation is on the general@ list.
This would be better on the user@ list (where there are more people
watching).
On Wed, Feb 4, 2009 at 12:46 PM, dcreed97@yahoo.com <dc...@yahoo.com> wrote:
> Hi Nathan - thanks. Any one have any additional thoughts on this? Beginning to believe that without writing my own plugin to Velocity escaping HTML in Velocity Layout Servlet is impossible (short of putting in some sort of escape tag).
>
> Thanks,
>
> Dave
>
> --- On Mon, 2/2/09, Nathan Bubna <nb...@gmail.com> wrote:
>
>> From: Nathan Bubna <nb...@gmail.com>
>> Subject: Re: Escaping HTML with Velocity Layout Servlet
>> To: "general" <ge...@velocity.apache.org>, "dcreed97" <dc...@yahoo.com>
>> Date: Monday, February 2, 2009, 1:14 PM
>> Hmm. That's odd that nothing gets escaped in the screen
>> when you set
>> "eventhandler.escape.html.match to
>> /^screen_content/". I'll have to
>> try this out myself, as i'm fairly sure that should
>> have done the
>> trick.
>>
>> 2009/1/29 dcreed97@yahoo.com <dc...@yahoo.com>:
>> > Hi -
>> >
>> > I couldn't find an answer to this in the list
>> archives or with general web search. I am trying to escape
>> HTML when displaying user entered data for typical usual
>> reasons of not having my app open to CSS attack.
>> >
>> > I have setup the EscapeHtmlReference code and it works
>> fine, but the issue is that using the layout servlet, it
>> appears that html escaping tool either escapes the entire
>> $screen_content value or, by setting
>> eventhandler.escape.html.match to /^screen_content/, none of
>> it. It appears that the tool isn't aware (or
>> doesn't have visibility into) of the pre merged state of
>> everything below $screen_content, and so merges everything
>> and then escapes everything in $screen_content.
>> >
>> > Is there an HTML reference escaper that is aware of
>> layouts and can properly handle this situation (i.e.,
>> don't just escape $screen_content - escape everything in
>> the template content).
>> >
>> > Thank you for any thoughts,
>> >
>> > Dave
>> >
>> >
>> >
>> >
>> >
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail:
>> general-unsubscribe@velocity.apache.org
>> > For additional commands, e-mail:
>> general-help@velocity.apache.org
>> >
>> >
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
> For additional commands, e-mail: general-help@velocity.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
For additional commands, e-mail: general-help@velocity.apache.org
Re: Escaping HTML with Velocity Layout Servlet
Posted by "dcreed97@yahoo.com" <dc...@yahoo.com>.
Hi Nathan - thanks. Any one have any additional thoughts on this? Beginning to believe that without writing my own plugin to Velocity escaping HTML in Velocity Layout Servlet is impossible (short of putting in some sort of escape tag).
Thanks,
Dave
--- On Mon, 2/2/09, Nathan Bubna <nb...@gmail.com> wrote:
> From: Nathan Bubna <nb...@gmail.com>
> Subject: Re: Escaping HTML with Velocity Layout Servlet
> To: "general" <ge...@velocity.apache.org>, "dcreed97" <dc...@yahoo.com>
> Date: Monday, February 2, 2009, 1:14 PM
> Hmm. That's odd that nothing gets escaped in the screen
> when you set
> "eventhandler.escape.html.match to
> /^screen_content/". I'll have to
> try this out myself, as i'm fairly sure that should
> have done the
> trick.
>
> 2009/1/29 dcreed97@yahoo.com <dc...@yahoo.com>:
> > Hi -
> >
> > I couldn't find an answer to this in the list
> archives or with general web search. I am trying to escape
> HTML when displaying user entered data for typical usual
> reasons of not having my app open to CSS attack.
> >
> > I have setup the EscapeHtmlReference code and it works
> fine, but the issue is that using the layout servlet, it
> appears that html escaping tool either escapes the entire
> $screen_content value or, by setting
> eventhandler.escape.html.match to /^screen_content/, none of
> it. It appears that the tool isn't aware (or
> doesn't have visibility into) of the pre merged state of
> everything below $screen_content, and so merges everything
> and then escapes everything in $screen_content.
> >
> > Is there an HTML reference escaper that is aware of
> layouts and can properly handle this situation (i.e.,
> don't just escape $screen_content - escape everything in
> the template content).
> >
> > Thank you for any thoughts,
> >
> > Dave
> >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> general-unsubscribe@velocity.apache.org
> > For additional commands, e-mail:
> general-help@velocity.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
For additional commands, e-mail: general-help@velocity.apache.org
Re: Escaping HTML with Velocity Layout Servlet
Posted by Nathan Bubna <nb...@gmail.com>.
Hmm. That's odd that nothing gets escaped in the screen when you set
"eventhandler.escape.html.match to /^screen_content/". I'll have to
try this out myself, as i'm fairly sure that should have done the
trick.
2009/1/29 dcreed97@yahoo.com <dc...@yahoo.com>:
> Hi -
>
> I couldn't find an answer to this in the list archives or with general web search. I am trying to escape HTML when displaying user entered data for typical usual reasons of not having my app open to CSS attack.
>
> I have setup the EscapeHtmlReference code and it works fine, but the issue is that using the layout servlet, it appears that html escaping tool either escapes the entire $screen_content value or, by setting eventhandler.escape.html.match to /^screen_content/, none of it. It appears that the tool isn't aware (or doesn't have visibility into) of the pre merged state of everything below $screen_content, and so merges everything and then escapes everything in $screen_content.
>
> Is there an HTML reference escaper that is aware of layouts and can properly handle this situation (i.e., don't just escape $screen_content - escape everything in the template content).
>
> Thank you for any thoughts,
>
> Dave
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
> For additional commands, e-mail: general-help@velocity.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@velocity.apache.org
For additional commands, e-mail: general-help@velocity.apache.org