On Sep 28, 2005, at 9:42 PM, David Carlisle wrote:
If I'm storing data that may contain encoded versions of <>&" and ',
do
I need to store that data in CDATA sections or am I misunderstanding
the role of CDATA?
I'm not sure what you mean, but don't (try to) use entities _amd_
CDATA.
I'm working on a site documentation system that allows users to submit
data about the current page. The data _could_ contain such characters
and I was debating whether or not to convert them prior to committing
them to the XML file. A web developer once told me to always store
exactly what the users enter and this was one area where I thought
there could be some problems...
And this brings up an interesting potential security violation. If
these characters weren't escaped, users could do something similar to
the javascript cross-site scripting exploit. I don't know exactly what,
but I could imagine that they could submit a link to a stylesheet on
their own server that returns the contents of the XML file that this
data is stored in.
Thanks a lot for the clarification on the use of CDATA section.
Ted
--~------------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
To unsubscribe, go to: http://lists.mulberrytech.com/xsl-list/
or e-mail: <mailto:xsl-list-unsubscribe(_at_)lists(_dot_)mulberrytech(_dot_)com>
--~--