[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: disable-output-escaping not working?

Subject: RE: disable-output-escaping not working?
From: "Julian Reschke" <julian.reschke@xxxxxx>
Date: Thu, 4 Jul 2002 14:14:53 +0200
disable output escaping not working
Hi,

first of all, you don't use XSLT (see namespace declaration of your
stylesheet). d-o-e is an optional feature of XSLT, not "WD-XSL".

Second, if you allow users to enter arbitrary HTML and plan to send that to
people looking at the messages, this is a potential security hole because
the user might enter script tags as well. I'd recommend to parse the HTML
usinf TIDY, and then to copy only the (X)HTML subset you're willing to
store. This in turn should be done as proper XHTML markup, not as plain text
(then you won't need to disable escaping at all).

Julian

> -----Original Message-----
> From: owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of Henry E. Lee,
> Jr.
> Sent: Thursday, July 04, 2002 1:58 PM
> To: XSL-List@xxxxxxxxxxxxxxxxxxxxxx
> Subject:  disable-output-escaping not working?
>
>
> Hello all,
>
> First I would like to say I am new to XML/XSL, please bear with me!
>
> Second, I did look through all of the archives before posting, and I did
> find the solution to my problem, except that part of it does not work.
>
> I am creating an application that will use XML/XSL to display data for
> message boards, news items, etc. As a result, it is imperative
> that I allow
> people to insert HTML directly into my XML documents.
>
> So far to do this I have tried two different techniques. The first was to
> use commenting like so:
>
> <message>
>   <!--
>   My HTML can go here with line breaks<br>
>   and <b>bold</b> font.
>   -->
> </message>
>
> The second technique I tried was the CDATA like so:
>
> <message>
>   <![CDATA[
>   My HTML can go here with line breaks<br>
>   and <b>bold</b> font.
>   ]]>
> </message>
>
> In my XSL document, I have been trying to use
> disable-output-escaping="yes"
> but it seems to be getting completely ignored. I have tried using:
>
> <?xml version="1.0" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl">
>   ...
>   <xsl:value-of select="message/comment()" disable-output-escaping="yes"/>
>   ...
> </xsl:stylesheet>
>
> I have also tried a variety of other things as well. Of the ones
> that work,
> they all display the HTML without interpreting the tags and such.
>
> Thanks so much for the assistance,
>
> Hank
>
> ----------------------------------------
> Henry E. Lee, Jr.
> ----------------------------------------
>
>
>  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
>


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list


Current Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.