Re: xml/xsl character escaping in user entered data

Play the video

Subject: Re: xml/xsl character escaping in user entered data
From: "G. Ken Holman" <gkholman@xxxxxxxxxxxxxxxxxxxx>
Date: Sun, 04 Apr 2004 16:16:58 -0400

At 2004-03-04 13:07 -0800, Jonathan Kart wrote:

I have a relatively simple problem to solve,

Your problem was anticipated by the designers of XSLT.

My issue is that non-technical users enter the data
into the database.

Fine.

I need to insure the following goals:
1. nothing the users enter can cause the subsequent xml files to be
malformed

You can ensure this by protecting *everything* that comes in from the user, which isn't as bad as it sounds, you just have to escape "<", "&" and to be safe ">" in the text field that captures the user's typing. This field of data can be stored in element or attribute content with the escaped characters.

2. any intra-content html formatting they enter is preserved after the
xsl transformations are complete.  For example, user data such as:
"Here is the <b>Title</b> of my article"
needs to be preserved exactly so the browser will bold the "Title".

This is the use-case for the disable-output-escaping= attribute of <xsl:text> and of <xsl:value-of>.

If your user entered the string above, your storage would be:

<data>Here is the Title of my article</data>

If you did <xsl:value-of select="data"/> you would *not* get what you want as the browser would see:

Here is the Title of my article

and your users would see:

Here is the Title of my article

but if you do <xsl:value-of select="data" disable-output-escaping="yes"/> your browser would see:

Here is the Title of my article

and your users would see:

Here is the Title of my article (with the Title bolded).

The act of disabling the output escaping is just that: when serializing the text found in the result node three the escaping of sensitive markup characters is disabled so that browsers see the markup characters as markup characters.

Although, I'm not at liberty to alter the process of db ---> xml --(via
xslt)--> html.  So system design suggestions won't aide me.  I'm just
looking for a way to solve this particular problem.

I'm confident this should help.

............................ Ken


--
Public courses: Spring 2004 world tour of hands-on XSL instruction
Each week:   Monday-Wednesday: XSLT/XPath; Thursday-Friday: XSL-FO
Hong Kong May 17-21; Bremen Germany May 24-28; Helsinki June 14-18

World-wide on-site corporate, govt. & user group XML/XSL training.
G. Ken Holman                 mailto:gkholman@xxxxxxxxxxxxxxxxxxxx
Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/s/
Box 266, Kars, Ontario CANADA K0A-2E0    +1(613)489-0999 (F:-0995)
Male Breast Cancer Awareness  http://www.CraneSoftwrights.com/s/bc

Current Thread
xml/xsl character escaping in user entered data Jonathan Kart - Sun, 4 Apr 2004 16:08:16 -0400 (EDT) Julian Reschke - Sun, 4 Apr 2004 16:16:46 -0400 (EDT) G. Ken Holman - Sun, 4 Apr 2004 16:17:59 -0400 (EDT) <= Julian Reschke - Sun, 4 Apr 2004 16:36:06 -0400 (EDT)

<- Previous	Index	Next ->
Re: xml/xsl character escapin, Julian Reschke	Thread	Re: xml/xsl character escapin, Julian Reschke
Re: xml/xsl character escapin, Julian Reschke	Date	Re: xml/xsl character escapin, Julian Reschke
	Month

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >