[stringtemplate-interest] Cross-site scripting countermeasures
Terence Parr
parrt at cs.usfca.edu
Fri Feb 22 10:45:57 PST 2008
On Feb 21, 2008, at 2:35 AM, Florian Weimer wrote:
> I've been trying to figure out, based on the documentation, how you
> ensure proper output encoding (in particular HTML encoding, to prevent
> Javascript injection attacks).
Hi Florian, I do not do any sort of verification of the output. You
are free to create a StringTemplateWriter object that does the
filtering :)
> Has this been a consideration in StringTemplate's design (and the
> existing StringTemplate deployments just happen to be broken in
> similar
> ways), or is this out of the scope of StringTemplate?
It is beyond the scope, but ST is flexible enough to do what you want.
Ter
More information about the stringtemplate-interest
mailing list