Velocity HTML Escaping

16 03 2007

The age old problem often overlooked in the rush to get a UI out of the door…. html escaping. Some view technologies have no support for and you are just left to do it all manually or forget, jsp. Some like RSF just do it without even thinking about it because they are xml based. And some have mechanisms to let you choose.

Velocity has an event mechanism that allows you to escape the output for the target output format. You can either implement a handler and inject it into the context or register one. Standard ones are based on regexes of the variable names in template eg ${model.sqlStatement} could be matched with /sql.*/ to escape as SQL.

eventhandler.referenceinsertion.class = eventhandler.referenceinsertion.class = eventhandler.escape.html.match = /msg.*/ eventhandler.escape.sql.match = /sql.*/

This approach makes the escaping issue simple where the output doesnt conform to xml formatting (eg css, Sherlock, ddl, ASN1 etc), but you have to remember to use some conformaty in the naming of the view model entities… not entirely a bad thing.




3 responses

16 03 2007
Matthew Buckett

JSPs aren’t all that bad. If you use the core standard tag library they you just have something like:

<c:out value=”${somevalue}” escapeXml=”true”/>

16 03 2007
Lance Speelmon

I noticed that Velocity just had their 1.5 release. Should we consider upgrading to that version in Sakai? Thanks, L

16 03 2007
Ian Boston

Yes JSP’s wit a taglib work just fine and are relatively easy to use, the problem is 100’s of develpers knock something up quickly and forget to use the tag. If you step into PHP world probably 50% of the apps out there will have some sort of vulnrability of this type, and its scary what a user can make happen with “> <script>alert(“hello”);</script> <” replace teh script with object and clsid on some OS’s and you can really have fun 🙂

Velocity 1.5
We probably should upgade, the old velocity tools are relatvely easy since the version is in the WAR, but there might need to be some porting of the velocity tool support. In other places there is velocity used natively, and I dont think anyone is using it a render engine for SpringMVC… which requires differnt treatment. I tend to use V1.4 at the moment, the older tools are on 1.3.1

%d bloggers like this: