I'm using velocity for my views, and some spring macros provide HTML escaping support (such as #springBind) but as far as I know there is now way to escape normal variables. Eg. "Hello there ${name}."

I noticed that there was another post in this forum back in oct 2004 asking the same thing but as far as I can tell, this is still unresolved...

Has this been addressed yet? If not, what approach are other people taking to deal with the problem?

Has this been addressed yet?
Not AFAIK. I'd post this to JIRA (http://opensource.atlassian.com/projects/spring/secure/Dashboard.jspa).

Yeah, i added to JIRA (SPR-912).

In the meantime, I think i'll try subclassing VelocityView and see how that goes.

Any opinions? What are other people doing?

Any opinions?
The functionality is in HtmlUtils, but as that is abstract, I'm not sure if you can access this directly in Velocity. You could add your own bean (until Spring addresses this) that utilises HtmlUtils with something like:
Map model = new HashMap();
model.put("htmlUtils", new MyHtmlUtils());
and in velocity:
$htmlUtils.htmlEscape(${name})

I noticed that there was another post in this forum back in oct 2004 asking the same thing
can you quote the URL?

Without reference to that forum post I'm not entirely sure what you're asking - does this not help: http://jakarta.apache.org/velocity/user-guide.html#Escaping%20Valid%20VTL%20References
?

does this not help
Not really. This is for escaping within the VTL (i.e. escaping special VTL characters, e.g. '$', in VTL). The poster wants to escape special HTML characters, e.g. '<' within a variable.

can you quote the URL?

Sure thing:
http://forum.springframework.org/viewtopic.php?t=1423

Thanks for the suggestion katentim. It's good to know that we still have something that works but it's not very good that we need to add code to every controller that makes use of it.

I think i have a possible solution (but havent tested it yet).
If I subclass org.springframework.web.servlet.support.RequestCon text and add a function like htmlEscape(String) or something, and then modify renderMergedOutputModel() in org.springframework.web.servlet.view.AbstractTempl ateView so that it adds my subclassed version of RequestContext to the model, and add a small velocity macro it should work.....

This i think is one possible solution but I think it would be better if I could just specify in the VelocityViewResolver or VelocityConfig that I wan't all dynamic data HTML escaped, i think that would be a much better solution...