How to deal with XSS on NVelocity

The Castle project is full of features, includes some amazing sub-projects, and it was a pleasure to develop with it.

My team is almost ready to provide custom EAM and we are polishing our system. We tried some basic XSS attacks and assumed they all worked.

Even though it will run on an Intranet environment, we don't want users to accidentally destroy the entire system, and we are exploring solutions to resolve XSS issues.

NVelocity hides nothing by default, so this code:

${entity.Field}

      

        
        
        
      

    

with a field containing things like:

<script>alert('xss!')</script>

      

        
        
        
      

    

will give us a nice warning xss.

The Microsoft AntiXSS library looks good: it handles several types of possible XSS vectors, etc. We ran into the AndyPike helper, but this solution will force us to reorganize several thousand lines. Yes, not good. And this won't handle automatic ActiveRecord / NVelocity binding when editing existing objects.

The question arises: using output encoding methods, is it possible / recommended to fix the Castle Project NVelocity engine? Like Brail? Does anyone have a better idea?

Thank!

PS: Will Stackoverflowers using the Castle Project use such a patch?