NVelocity is a view engine for MonoRail. It’s quite handy and it’s not difficult to deliver such views.
One of the flows I can name can be the security issues. By default there’s not much support for security. For instance it’s possible to perform XSS (Cross-site scripting) attacks by providing XHTML or JavaScript code.
I spent some time googleing for existing solutions for that MAJOR issue but I failed to find anything interesting. The most usefult information I’ve found was the article called Cross Site Scripting and letting the framework deal with it. Accordint to its author, Oren Eini, some support for HTML encoding has been implemented for Brail, which is another MonoRail view engine. But… I’m interested in NVelocity, not Brail!
Should you discover anything interesting on that topic, please post a link as a comment for this post. I’d be grateful 
How true. I’ve often wondered why there isn’t any HTML encoding keyword or symbol built into NVelocity as there currently is in Brail.
One solution here is to use a method defined in the helper class that is assigned to a controller. However, you need to explicitely define its invokation… If only there were a character added to $propertyName as in Brail
This is a major issue in NVelocity!
Of course, what a great site and informative posts, I will add backlink – bookmark this site? Regards, Reader.
Hi,
I’ve just knocked together a simple helper that you might be interested in. You can see the source on my google code repository here:
http://code.google.com/p/andypike/source/browse/trunk/Snowflake/src/AndyPike.Commons/Web/MonoRail/Helpers/AntiXssHelper.cs
This is a view helper that basically wraps the Microsoft AntiXSS library, which you can get here:
http://www.microsoft.com/downloads/details.aspx?familyid=051EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en
Add this helper and reference AntiXSSLibrary.dll in your web app. Then in your controller add something like this above the class:
[Helper(typeof(AntiXssHelper), "xss")]
Then you can do this in your nvelocity view:
$xss.html($foo)
$xss.url($bar)
and so on. Let me know if this helps.
Andy
Andy,
I can’t try it right now but from what I see this should really help there. The problem with existing application is now you need to change lots of view files…
Anyway thanks for the tip!
Cheers,
Jarek