On Fri, 29 Nov 2013 06:37:48 -0200, Nathan Quirynen
<nat...@pensionarchitects.be> wrote:
What Tapestry now does for encoding is following if I'm right:
in *org.apache.tapestry5.dom.MarkupModel.encode(String)* it encodes only
*<*, *>* and *&*
which is not enough following OWASP XSS Prevention Sheet
<https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content>
for just HTML output.
Tapestry does HTML encoding and never claimed to do anything beyond that.
Now I have a Request filter that does encoding on input, but then
Tapestry does double encoding on output, which is not optimal at all as
it will actually output everything as <, >, ... Changing all
output to outputraw does not seem optimal either.
You probably need raw output in just a handful of places.
Please file a JIRA so the HTML encoding itself is done by a service, so
you can easily override it and do any encoding you want. Meanwhile, you
may take a look at Tapestry sources to figure out how to provide your own
MarkupModel.
--
Thiago H. de Paula Figueiredo
Tapestry, Java and Hibernate consultant and developer
http://machina.com.br
Help me spend a whole month working on Tapestry bug fixes and
improvements: http://igg.me/at/t5month
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
