|
|
Re: security audit: msg#00190jakarta.velocity.user
Will Glass-Husain said: > I forgot one more important security issue -- cross-site scripting vulnerabilities. > > Anytime you display text that derives from user input on the velocity page, you > need to escape all the HTML characters (&, <, >, "). ... > The solution is to write a tool that substitutes the characters and always use it > to display user input. > $HTMLMultiLine.escape($textfromuser) or you could do the escaping substitution upon input of any text from users. IMHO, that is the cleaner solution; i'd avoid doing this in the template if at all possible, but if you must do it in template... Nathan Bubna nathan@xxxxxxxx |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: html macro library: 00190, Nathan Bubna |
|---|---|
| Next by Date: | Re: html macro library: 00190, Rodrigo Reyes |
| Previous by Thread: | Re: security auditi: 00190, Will Glass-Husain |
| Next by Thread: | Re: security audit: 00190, Daniel Dekany |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |