Re: xml/xsl character escaping in user entered data

Play the video

Subject: Re: xml/xsl character escaping in user entered data
From: Julian Reschke <julian.reschke@xxxxxx>
Date: Sun, 04 Apr 2004 22:27:38 +0200

Hi,

Ken's suggestion will work; note however that it opens a possible security hole where users will be able to insert executable script into the database which will propagate later into the client's browsers. If these are running in a "trusted" security zone (quite common in a company's intranet), it will be able to more or less execute arbitrary code (at least when run IE with active scripting enabled).

I'd recommend to tidy the input into XHTML, and then use XSLT just to copy over those XHTML elements considered "safe" (such as <b>, <i>), filtering out everything else.

Julian

--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760

Current Thread
xml/xsl character escaping in user entered data Jonathan Kart - Sun, 4 Apr 2004 16:08:16 -0400 (EDT) Julian Reschke - Sun, 4 Apr 2004 16:16:46 -0400 (EDT) G. Ken Holman - Sun, 4 Apr 2004 16:17:59 -0400 (EDT) Julian Reschke - Sun, 4 Apr 2004 16:36:06 -0400 (EDT) <=

<- Previous	Index	Next ->
Re: xml/xsl character escapin, G. Ken Holman	Thread	XSL Template Designer V1.0 re, Kazumi Hara
Re: xml/xsl character escapin, G. Ken Holman	Date	RE: Saxon & Fallback from doc, David . Pawson
	Month

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >