xsl-list
[Top] [All Lists]

Re: xml/xsl character escaping in user entered data

2004-04-04 13:16:58
At 2004-03-04 13:07 -0800, Jonathan Kart wrote:
I have a relatively simple problem to solve,

Your problem was anticipated by the designers of XSLT.

My issue is that non-technical users enter the data
into the database.

Fine.

I need to insure the following goals:
1. nothing the users enter can cause the subsequent xml files to be
malformed

You can ensure this by protecting *everything* that comes in from the user, which isn't as bad as it sounds, you just have to escape "<", "&" and to be safe ">" in the text field that captures the user's typing. This field of data can be stored in element or attribute content with the escaped characters.

2. any intra-content html formatting they enter is preserved after the
xsl transformations are complete.  For example, user data such as:
"Here is the <b>Title</b> of my article"
needs to be preserved exactly so the browser will bold the "Title".

This is the use-case for the disable-output-escaping= attribute of <xsl:text> and of <xsl:value-of>.

If your user entered the string above, your storage would be:

 <data>Here is the &lt;b&gt;Title&lt;/b&gt; of my article</data>

If you did <xsl:value-of select="data"/> you would *not* get what you want as the browser would see:

   Here is the &lt;b&gt;Title&lt;/b&gt; of my article

and your users would see:

   Here is the <b>Title</b> of my article

but if you do <xsl:value-of select="data" disable-output-escaping="yes"/> your browser would see:

      Here is the <b>Title</b> of my article

and your users would see:

   Here is the Title of my article (with the Title bolded).

The act of disabling the output escaping is just that: when serializing the text found in the result node three the escaping of sensitive markup characters is disabled so that browsers see the markup characters as markup characters.

Although, I'm not at liberty to alter the process of db ---> xml --(via
xslt)--> html.  So system design suggestions won't aide me.  I'm just
looking for a way to solve this particular problem.

I'm confident this should help.

............................ Ken


--
Public courses: Spring 2004 world tour of hands-on XSL instruction
Each week:   Monday-Wednesday: XSLT/XPath; Thursday-Friday: XSL-FO
Hong Kong May 17-21; Bremen Germany May 24-28; Helsinki June 14-18

World-wide on-site corporate, govt. & user group XML/XSL training.
G. Ken Holman                 mailto:gkholman(_at_)CraneSoftwrights(_dot_)com
Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/s/
Box 266, Kars, Ontario CANADA K0A-2E0    +1(613)489-0999 (F:-0995)
Male Breast Cancer Awareness  http://www.CraneSoftwrights.com/s/bc



<Prev in Thread] Current Thread [Next in Thread>