I was hoping that i might have just missed an XSL method for defining
escaping since it would have been a tidy way of dealing with this problem.
I was also trying to avoid use a template for this. For such trivial things
like this it feels just as ugly as using regex on either side of the
stylesheet. At least regex has the benefit of being much quicker to write :)
Thanks for the link to the escape-ws template, looks tailor made for me.
jw
jon wa wrote:
For a project it is convenient to use XSL to generate SQL. This is
because
input is XML and in the future we might use a real XML database.
Because malicious XML uploads might try to exploit the SQL I'm worried
about
certain characters, mostly quotes, apostrophes and backslashes. My idea
was
to escape all these chars with the \ notation but I quickly found
out
that my XSL always converted this back to a real "\" and the same
happened for
apostrophes.
In xsl we have disable-output-escaping to prevent characters being
escaped
and I was wondering if it was possible to do the reverse and make sure
that
escaped chars are not unescaped during processing.
This is a FAQ. Character references, entity references, the order of
attributes, the type of quotes used around attributes, which text is in a
CDATA section... are all lexical items that may be in an XML document for
the
convenience of the document author, but these things are all obscured by
the
XML parser when it reads the document and reports to the application the
important stuff -- logical contents, i.e. the hierarchy of elements, what
attributes they have, and what character data they contain.
Also note that a character reference like \ "means" just the one
character
backslash, not the 5 characters ampersand number-sign nine two semicolon.
So
in any XML application, not just XSLT processors, you're only going to get
the
one character, at least internally. The XSLT processor is free to offer
you
the option of controlling how it serializes the output (it wouldn't be
wrong
to let you serialize it as \ or \), but most don't, at least not
to do
what you want to do, which is escape a character that never normally needs
to
be escaped.
To solve your problem, in your XSLT you could use a recursive string
replacement template. At http://skew.org/xml/stylesheets/replace/ I have
an
example of the general principle, and at
http://skew.org/xml/stylesheets/treeview/ascii/ in the stylesheet there
you
can see a variation (the 'escape-ws' template at the bottom) that is more
specific to the specific set of replacements you want to do.
- Mike
____________________________________________________________________________
mike j. brown | xml/xslt: http://skew.org/xml/
denver/boulder, colorado, usa | resume: http://skew.org/~mike/resume/
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list