Re: Tapestry 5 validation for cross site scripting

2008-05-25 Thread 9902468
rkup upfront. > > - Original Message - > From: "9902468" <[EMAIL PROTECTED]> > To: users@tapestry.apache.org > Sent: Friday, 23 May, 2008 3:40:20 PM GMT +02:00 Athens, Beirut, > Bucharest, Istanbul > Subject: Re: Tapestry 5 validation for cross site scripting >

Re: Tapestry 5 validation for cross site scripting

2008-05-23 Thread Martin Strand
I wrote a webmail app once, where cross site scripting was a concern for html email messages. I parsed the html message to a dom with htmlcleaner, then removed all

Re: Tapestry 5 validation for cross site scripting

2008-05-23 Thread Peter Stavrinides
est, Istanbul Subject: Re: Tapestry 5 validation for cross site scripting Using the "parseClient" event, you could intercept the string submitted by the user and do the filtering before the value is assigned to a page property. You could also design a translator for this purpose. On

Re: Tapestry 5 validation for cross site scripting

2008-05-23 Thread Peter Stavrinides
2008 6:12:02 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: Tapestry 5 validation for cross site scripting On 5/23/08, Peter Stavrinides <[EMAIL PROTECTED]> wrote: > The data in our database is shared by other apps, so its integrity is most > important and requires extensiv

Re: Tapestry 5 validation for cross site scripting

2008-05-23 Thread Howard Lewis Ship
Using the "parseClient" event, you could intercept the string submitted by the user and do the filtering before the value is assigned to a page property. You could also design a translator for this purpose. On Fri, May 23, 2008 at 3:41 AM, Peter Stavrinides <[EMAIL PROTECTED]> wrote: > Hi All > >

Re: Tapestry 5 validation for cross site scripting

2008-05-23 Thread Thiago HP
On 5/23/08, Peter Stavrinides <[EMAIL PROTECTED]> wrote: > The data in our database is shared by other apps, so its integrity is most > important and requires extensive validation... therefore I would have to take > a more > defensive approach and filter out unwanted markup upfront. What about us

Re: Tapestry 5 validation for cross site scripting

2008-05-23 Thread Peter Stavrinides
D]> To: users@tapestry.apache.org Sent: Friday, 23 May, 2008 3:40:20 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul Subject: Re: Tapestry 5 validation for cross site scripting Hi, we have always done it so that user can input anything they like, but when the page renders some marks like <

Re: Tapestry 5 validation for cross site scripting

2008-05-23 Thread 9902468
Hi, we have always done it so that user can input anything they like, but when the page renders some marks like < and > are encoded to html entities. This way the data is in the database exactly like the user intended, and browser etc. is safe because dangerous characters are encoded. If you en