|
If you were logged in you would be able to see more operations.
|
|
|
|
The security:authentication tag does not escape HTML/XML entities, but it would be nice if the option were available, as it is with the JSTL c:out tag. I would even suggest that escaping XML entities should be the default behavior (again, as it is with c:out) because this helps to protect against script injections. Currently somebody could make their username something like <script ...> and if you render it using security:authentication then the browser would run the script.
I don't think it's reasonable to assume that people will disallow '<' and '>' characters in their user fields, partly because many people won't know there's an issue, and partly because in some contexts you want to allow such characters. (For example, gamers like usernames with all kinds of funky characters in them.)
|
|
Description
|
The security:authentication tag does not escape HTML/XML entities, but it would be nice if the option were available, as it is with the JSTL c:out tag. I would even suggest that escaping XML entities should be the default behavior (again, as it is with c:out) because this helps to protect against script injections. Currently somebody could make their username something like <script ...> and if you render it using security:authentication then the browser would run the script.
I don't think it's reasonable to assume that people will disallow '<' and '>' characters in their user fields, partly because many people won't know there's an issue, and partly because in some contexts you want to allow such characters. (For example, gamers like usernames with all kinds of funky characters in them.) |
Show » |
|
Improvement
Closed
Minor
Consider adding escapeXml attribute to security:authentication