[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: disable-output-UNescaping
jon wa wrote: > For a project it is convenient to use XSL to generate SQL. This is because > input is XML and in the future we might use a real XML database. > Because malicious XML uploads might try to exploit the SQL I'm worried about > certain characters, mostly quotes, apostrophes and backslashes. My idea was > to escape all these chars with the \ notation but I quickly found out > that my XSL always converted this back to a real "\" and the same happened for > apostrophes. > > In xsl we have disable-output-escaping to prevent characters being escaped > and I was wondering if it was possible to do the reverse and make sure that > escaped chars are not unescaped during processing. This is a FAQ. Character references, entity references, the order of attributes, the type of quotes used around attributes, which text is in a CDATA section... are all lexical items that may be in an XML document for the convenience of the document author, but these things are all obscured by the XML parser when it reads the document and reports to the application the important stuff -- logical contents, i.e. the hierarchy of elements, what attributes they have, and what character data they contain. Also note that a character reference like \ "means" just the one character backslash, not the 5 characters ampersand number-sign nine two semicolon. So in any XML application, not just XSLT processors, you're only going to get the one character, at least internally. The XSLT processor is free to offer you the option of controlling how it serializes the output (it wouldn't be wrong to let you serialize it as \ or \), but most don't, at least not to do what you want to do, which is escape a character that never normally needs to be escaped. To solve your problem, in your XSLT you could use a recursive string replacement template. At http://skew.org/xml/stylesheets/replace/ I have an example of the general principle, and at http://skew.org/xml/stylesheets/treeview/ascii/ in the stylesheet there you can see a variation (the 'escape-ws' template at the bottom) that is more specific to the specific set of replacements you want to do. - Mike ____________________________________________________________________________ mike j. brown | xml/xslt: http://skew.org/xml/ denver/boulder, colorado, usa | resume: http://skew.org/~mike/resume/ XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|