It's not typical to html escape input. HTML is about presentation and
most input is just input. In other words, you want to HTML escape just
before presenting the input to the user but not store the input escaped
(at least I think that's what most applications use).
Tapestry does already HTML escape all output unless you render the data
raw on purpose. There are however a few things that should be careful
of. If you dynamically add some Javascript based on user input (using a
Mixin for example) you should make sure that the user input cannot
'escape' the quotes of your Javascript code because that would create a
possible XSS vulnerability.
Martijn
On Thu, 2008-08-21 at 12:12 -0600, Eric Rogers wrote:
> Hello Howard,
>
> Does Tapestry provide any way to do this on input, even if it is just for
> all form data that is submitted? Perhaps being able to wire an interceptor
> of some form in?
>
> Thanks,
>
> Eric
>
>
> On Thu, Aug 21, 2008 at 11:57 AM, Eric Rogers <[EMAIL PROTECTED]> wrote:
>
> > Hello Howard,
> >
> > Thanks for the information.
> >
> > Thanks,
> >
> > Eric
> >
> >
> >
> > On Tue, Aug 19, 2008 at 1:18 PM, Howard Lewis Ship <[EMAIL PROTECTED]>wrote:
> >
> >> Tapestry mostly captures this on the output side; that is, when you
> >> output a string (using, say ${property} expansion), the output is
> >> filtered; the key HTML entities, "<", "&" and ">", are converted to
> >> proper entities: "<", etc.
> >>
> >> On Tue, Aug 19, 2008 at 11:11 AM, Eric Rogers <[EMAIL PROTECTED]>
> >> wrote:
> >> > Hello All,
> >> >
> >> > I am using Tapestry 5.0.14 and am looking to filter input in my Tapestry
> >> > application for characters related to cross-site scripting. Some input
> >> is
> >> > from regular form submission, while other input is received using AJAX
> >> event
> >> > listeners and JSON. I realize that one can use a custom translator to
> >> scrub
> >> > any unwanted characters from input for a given field. However, I was
> >> > wondering if anyone has come across a more general pattern or strategy
> >> to do
> >> > this for both form and JSON input without having to explicitly define a
> >> > translator for form fields, and manually call some method to do the same
> >> for
> >> > a JSONObject.
> >> >
> >> > Thanks,
> >> >
> >> > Eric
> >> >
> >>
> >>
> >>
> >> --
> >> Howard M. Lewis Ship
> >>
> >> Creator Apache Tapestry and Apache HiveMind
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
