[stringtemplate-interest] Cross-site scripting countermeasures
jjsnyders at rcn.com
Sat Feb 23 20:14:10 PST 2008
I wrote about this recently on my blog.
Just some thoughts really may not be what you are looking for.
What I have done in practice is create a format renderer that does the
The template author needs to know the context (element content,
attribute value etc) and use the
appropriate format option.
Florian Weimer wrote:
> I've been trying to figure out, based on the documentation, how you
> ensure proper output encoding (in particular HTML encoding, to prevent
> Has this been a consideration in StringTemplate's design (and the
> existing StringTemplate deployments just happen to be broken in similar
> ways), or is this out of the scope of StringTemplate?
> stringtemplate-interest mailing list
> stringtemplate-interest at antlr.org
More information about the stringtemplate-interest