Subject: RE: [xsl] Converting &, >, <, ", and other odd-ball characters... From: "Clapham, Paul" <pclapham@xxxxxxxxxxxxx> Date: Thu, 15 Feb 2001 09:16:45 -0800 |
It's not just a matter of efficiency. If your page contains an input box for entering my name, and I put in "<b>Paul</b>", and you forget to escape the "<" and ">" characters, then when you echo it back, intending to say "Hello, Paul!", my name appears in bold-face. Not a big deal so far. But if you give me a big enough input box, I can enter an entire Javascript function there, and when you echo that back, if I do it right, I can get the browser to execute that function. And it could be somebody else's browser where it appears. In other words, it's a potential security issue. PC2 -----Original Message----- From: Kevin Duffey [mailto:kevin.duffey@xxxxxxxx] Sent: February 15, 2001 08:22 To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx Subject: RE: [xsl] Converting &, >, <, ", and other odd-ball characters... That is what I did, and it works. I guess when a site is done properly, it will handle "less" traffic than if the fields were not escaped? All that String processing must eat up time..I mean, if you have 1000 people all hit the same page at the same 1 second period of time, that is x number of fields x 1000 requests all being processed through this one method call. I made it a static final method to speed things up a bit, but I wish there was a way to tell the XML parser "if you see & replace it with &, if you see...". I take it there is no way at the top of an XML page to tell the XML parser to convert these characters? Thanks again. XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
RE: [xsl] Converting &, >, <, ", an, Michael Kay | Thread | RE: [xsl] Converting &, >, <, ", an, Kevin Duffey |
Re: [xsl] xsl:script and side-effec, David Carlisle | Date | RE: [xsl] XSLT 1.1 comments, Michael Kay |
Month |