[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: disable-output-UNescaping

Subject: Re: disable-output-UNescaping
From: Mike Brown <mike@xxxxxxxx>
Date: Mon, 28 Oct 2002 14:04:02 -0700 (MST)
xslt unescaping
jon wa wrote:
> For a project it is convenient to use XSL to generate SQL. This is because
> input is XML and in the future we might use a real XML database.
> Because malicious XML uploads might try to exploit the SQL I'm worried about
> certain characters, mostly quotes, apostrophes and backslashes. My idea was
> to escape all these chars with the &#92; notation but I quickly found out
> that my XSL always converted this back to a real "\" and the same happened for
> apostrophes.
> 
> In xsl we have disable-output-escaping to prevent characters being escaped
> and I was wondering if it was possible to do the reverse and make sure that
> escaped chars are not unescaped during processing.

This is a FAQ. Character references, entity references, the order of
attributes, the type of quotes used around attributes, which text is in a
CDATA section... are all lexical items that may be in an XML document for the
convenience of the document author, but these things are all obscured by the
XML parser when it reads the document and reports to the application the
important stuff -- logical contents, i.e. the hierarchy of elements, what
attributes they have, and what character data they contain.

Also note that a character reference like &#92; "means" just the one character
backslash, not the 5 characters ampersand number-sign nine two semicolon. So
in any XML application, not just XSLT processors, you're only going to get the
one character, at least internally. The XSLT processor is free to offer you
the option of controlling how it serializes the output (it wouldn't be wrong
to let you serialize it as &#92; or &#x5C), but most don't, at least not to do
what you want to do, which is escape a character that never normally needs to
be escaped.

To solve your problem, in your XSLT you could use a recursive string
replacement template. At http://skew.org/xml/stylesheets/replace/ I have an
example of the general principle, and at
http://skew.org/xml/stylesheets/treeview/ascii/ in the stylesheet there you
can see a variation (the 'escape-ws' template at the bottom) that is more
specific to the specific set of replacements you want to do.

   - Mike
____________________________________________________________________________
  mike j. brown                   |  xml/xslt: http://skew.org/xml/
  denver/boulder, colorado, usa   |  resume: http://skew.org/~mike/resume/

 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list


Current Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.