Re: [xsl] What data needs to be enclosed in CDATA tags?

Subject: Re: [xsl] What data needs to be enclosed in CDATA tags?
From: Gustave Stresen-Reuter <tedmasterweb@xxxxxxx>
Date: Wed, 28 Sep 2005 22:13:04 +0100
On Sep 28, 2005, at 9:42 PM, David Carlisle wrote:


If I'm storing data that may contain encoded versions of <>&" and ', do
I need to store that data in CDATA sections or am I misunderstanding
the role of CDATA?

I'm not sure what you mean, but don't (try to) use entities _amd_ CDATA.

I'm working on a site documentation system that allows users to submit data about the current page. The data _could_ contain such characters and I was debating whether or not to convert them prior to committing them to the XML file. A web developer once told me to always store exactly what the users enter and this was one area where I thought there could be some problems...


And this brings up an interesting potential security violation. If these characters weren't escaped, users could do something similar to the javascript cross-site scripting exploit. I don't know exactly what, but I could imagine that they could submit a link to a stylesheet on their own server that returns the contents of the XML file that this data is stored in.

Thanks a lot for the clarification on the use of CDATA section.

Ted

Current Thread