Re: [xsl] disable-output-UNescaping

[jon wa <jonni@xxxxxxxxx>]

I was hoping that i might have just missed an XSL method for defining
escaping since it would have been a tidy way of dealing with this problem.
I was also trying to avoid use a template for this. For such trivial things
like this it feels just as ugly as using regex on either side of the
stylesheet. At least regex has the benefit of being much quicker to write :)
Thanks for the link to the escape-ws template, looks tailor made for me.

jw

> jon wa wrote:
> > For a project it is convenient to use XSL to generate SQL. This is
> because
> > input is XML and in the future we might use a real XML database.
> > Because malicious XML uploads might try to exploit the SQL I'm worried
> about
> > certain characters, mostly quotes, apostrophes and backslashes. My idea
> was
> > to escape all these chars with the \ notation but I quickly found
> out
> > that my XSL always converted this back to a real "\" and the same
> happened for
> > apostrophes.
> > 
> > In xsl we have disable-output-escaping to prevent characters being
> escaped
> > and I was wondering if it was possible to do the reverse and make sure
> that
> > escaped chars are not unescaped during processing.
> 
> This is a FAQ. Character references, entity references, the order of
> attributes, the type of quotes used around attributes, which text is in a
> CDATA section... are all lexical items that may be in an XML document for
> the
> convenience of the document author, but these things are all obscured by
> the
> XML parser when it reads the document and reports to the application the
> important stuff -- logical contents, i.e. the hierarchy of elements, what
> attributes they have, and what character data they contain.
> 
> Also note that a character reference like \ "means" just the one
> character
> backslash, not the 5 characters ampersand number-sign nine two semicolon.
> So
> in any XML application, not just XSLT processors, you're only going to get
> the
> one character, at least internally. The XSLT processor is free to offer
> you
> the option of controlling how it serializes the output (it wouldn't be
> wrong
> to let you serialize it as \ or &#x5C), but most don't, at least not
> to do
> what you want to do, which is escape a character that never normally needs
> to
> be escaped.
> 
> To solve your problem, in your XSLT you could use a recursive string
> replacement template. At http://skew.org/xml/stylesheets/replace/ I have
> an
> example of the general principle, and at
> http://skew.org/xml/stylesheets/treeview/ascii/ in the stylesheet there
> you
> can see a variation (the 'escape-ws' template at the bottom) that is more
> specific to the specific set of replacements you want to do.
> 
>    - Mike
>
____________________________________________________________________________
>   mike j. brown                   |  xml/xslt: http://skew.org/xml/
>   denver/boulder, colorado, usa   |  resume: http://skew.org/~mike/resume/
> 
>  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
> 

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list