[stringtemplate-interest] Cross-site scripting countermeasures
John Snyders
jjsnyders at rcn.com
Sat Feb 23 20:14:10 PST 2008
I wrote about this recently on my blog.
http://hardlikesoftware.com/weblog/2008/02/15/script-injection-and-stringtemplate/
Just some thoughts really may not be what you are looking for.
What I have done in practice is create a format renderer that does the
proper escaping.
The template author needs to know the context (element content,
attribute value etc) and use the
appropriate format option.
-John
Florian Weimer wrote:
> I've been trying to figure out, based on the documentation, how you
> ensure proper output encoding (in particular HTML encoding, to prevent
> Javascript injection attacks).
>
> Has this been a consideration in StringTemplate's design (and the
> existing StringTemplate deployments just happen to be broken in similar
> ways), or is this out of the scope of StringTemplate?
> _______________________________________________
> stringtemplate-interest mailing list
> stringtemplate-interest at antlr.org
> http://www.antlr.org:8080/mailman/listinfo/stringtemplate-interest
>
>
More information about the stringtemplate-interest
mailing list