Subject: RE: [xsl] [xml]characters not compartible with XML From: "Joshua Allen" <joshuaa@xxxxxxxxxxxxx> Date: Mon, 11 Mar 2002 11:37:23 -0800 |
> Sounds as if the software that takes data out of the database and turns it > into XML isn't bothering to escape these special characters. Find the > offending software and fix it. > If the software is SQL Server, it should be escaping the 5 characters properly (<, >, ', ", &) automatically. However, since the topic has come up, SQL Server *will* happily output illegal characters (low-ASCII control characters) that happen to be stored in varchar fields. So it is still important to filter out invalid characters with SQL Server. In any case, since your error is happening with *input*, it may just be a case that the form processing code is just concatenating the form fields to produce XML and passing that directly to the database. In other words, your database software may be perfectly conforming, but there is no way it can filter out certain strings. In fact, even more dangerous than the crashing that you see is that someone could figure out how to provide XML within the form field that was *valid* and allowed them to update things they are not permitted to update. Web page processing code that does not filter out special characters, script, etc. from form entries before passing on to a database or other layer is a security risk. > > > -----Original Message----- > > From: owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx > > [mailto:owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of stevenson > > Sent: 11 March 2002 15:22 > > To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx > > Subject: [xsl] [xml]characters not compartible with XML > > > > > > I have a database driven intranet that is actively used by > > users to update > > the intranet. But i am noticing that each time a userr enters a double > > quote( " ") or ambersand( & ), the intranet crashes. > > > > How can i avoid this problem? As i need the users to be able > > to put anything > > in to the database and be able to view them without crashing. > > > > > > > > > > > > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list > > > > > > > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
RE: [xsl] [xml]characters not compa, Michael Kay | Thread | RE: [xsl] [xml]characters not compa, stevenson |
[xsl] Re: Calculate balance, Dimitre Novatchev | Date | Re: [xsl] How can i convert the var, Mike Ferrando |
Month |