Re: security audit

Hi,

Great comments!  I'll definitely write up a summary in a few days.

I forgot one more important security issue -- cross-site scripting 
vulnerabilities.

Anytime you display text that derives from user input on the velocity page, you 
need to escape all the HTML characters (&, <, >, ").  Otherwise a malicious end 
user can insert javascript that displays on a third user's browser window.    
Here's a short article on the problem.
http://msdn.microsoft.com/workshop/author/dhtml/sec_dhtml.asp#xsite

The solution is to write a tool that substitutes the characters and always use 
it to display user input.
    $HTMLMultiLine.escape($textfromuser)

For added convenience, make a similar method that changes carraige returns to 
<br>'s for greater readability.  If anyone wants sample code for a tool that 
does this, let me know.
    $HTMLMultiLine.escapeMultiLine($textfromuser)

WILL

P.S.   Didn't mean to start a flame war re: the developers.  But reading the 
dev-lists, it does seem like the committers (with the exception of Nathan) have 
moved on to other projects and haven't had much time to devote to Velocity in 
the last year.  There's a number of questions and proposals on the velocity-dev 
list that go into a near vacuum.  Also, my impression (perhaps erroneous) is 
that very few patches by non-committer contributors have made it into the core. 
 (which is a dis-incentive to contribute).  As always, I'm very happy to have 
such a great tool to work with, and appreciate all the efforts from Geir, Jon, 
Daniel, Nathan and others in the past.


_______________________________________
Forio Business Simulations
Will Glass-Husain


wglass@xxxxxxxxx
www.forio.com