Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: [SOLVED] WOImage escaping problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SOLVED] WOImage escaping problem

Subject: Re: [SOLVED] WOImage escaping problem
From: Chuck Hill <email@hidden>
Date: Thu, 6 Sep 2007 13:09:13 -0700


On Sep 6, 2007, at 10:08 AM, Miguel Arroz wrote:

Hi!
  Ok, answering to myself:
  public String escapedAlt() {
    	return WOMessage.stringByEscapingHTMLAttributeValue(alt());
  }
Time for naive question: shouldn't WO escape all the "unknown" attributes by default? This may lead to very serious security problems... (HTML injection, xss, etc)

The implementation of this precedes most of the technologies that can be used for hacks. :-)

Given how WO works on the server, the potential security problems are limited: links to spam sites, redirection to phishing sites. It is up to you to vet user input before injecting it into a page.

Also, for some of these strings it is useful to not escape the HTML. We would end up with

alt = ...
escapeHTMLInAlt = false;
title = ...
escapeHTMLInTitle = false;

On 2007/09/06, at 17:54, Miguel Arroz wrote:
Hi!
I want to use the "alt" tag with WOImage. It appears to not be a problem, as the alt="blabla" is added to the code.

The problem is that the text is not correctly escaped. If I add this text as the alt text:
  Text with commas. "Text with commas". Text with commas.
  I get this:
<img alt="Text with commas. "Text with="with" commas".="commas"." Text="Text" with="with" commas."="commas."" src="imageURL"></img>
  How can I do this with correctly escaped text?
  Yours
Miguel Arroz
Miguel Arroz
http://www.terminalapp.net
http://www.ipragma.com
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: 40guiamac.com

This email sent to email@hidden
Miguel Arroz
http://www.terminalapp.net
http://www.ipragma.com
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: 40global-village.net

This email sent to email@hidden

--

Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/practical_webobjects

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


Follow-Ups:

Re: [SOLVED] WOImage escaping problem
From: Miguel Arroz <email@hidden>


References:  
  >WOImage escaping problem (From: Miguel Arroz <email@hidden>)
  >[SOLVED] WOImage escaping problem (From: Miguel Arroz <email@hidden>)




Prev by Date:
MySQL, EO, Sproc How-To

Next by Date:
Re: [SOLVED] WOImage escaping problem

Previous by thread:
[SOLVED] WOImage escaping problem

Next by thread:
Re: [SOLVED] WOImage escaping problem

Index(es):

Date
Thread