Oof, I forgot about that new nicety. I'll review the ones in trunk and the comment POJO. On first glance, it looks like we have some double escaping and other problems going on.
- Dave On 5/18/07, Allen Gilliland <[EMAIL PROTECTED]> wrote:
Actually, we don't really want to be putting those escapes into the velocity macros in the trunk anymore. The better solution is to escape that data in the pojo wrappers so that it's guaranteed to be escaped in templates no matter what people do. I have already done that for the comment pojo wrapper, but we should probably do a general audit of all the pojo wrappers and add those html escape calls to all places where it makes sense. -- Allen [EMAIL PROTECTED] wrote: > Author: snoopdave > Date: Fri May 18 13:08:18 2007 > New Revision: 539584 > > URL: http://svn.apache.org/viewvc?view=rev&rev=539584 > Log: > Oops, we missed this comment field when we added XSS preventing escapeing > > Modified: > roller/trunk/web/WEB-INF/velocity/weblog.vm > > Modified: roller/trunk/web/WEB-INF/velocity/weblog.vm > URL: http://svn.apache.org/viewvc/roller/trunk/web/WEB-INF/velocity/weblog.vm?view=diff&rev=539584&r1=539583&r2=539584 > ============================================================================== > --- roller/trunk/web/WEB-INF/velocity/weblog.vm (original) > +++ roller/trunk/web/WEB-INF/velocity/weblog.vm Fri May 18 13:08:18 2007 > @@ -196,7 +196,7 @@ > <p class="comment-details"> > $text.get("macro.weblog.postedby") > #if (!$utils.isEmpty($comment.name) && !$utils.isEmpty($comment.url)) > - <a rel="nofollow" href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a> > + <a rel="nofollow" href="$utils.escapeHTML($comment.url)"><b>$utils.escapeHTML($comment.name)</b></a> > #elseif (!$utils.isEmpty($comment.name)) > <b>$utils.escapeHTML($comment.name)</b> > #elseif ($comment.remoteHost) > >
