Re: [xsl] xml/xsl character escaping in user entered data

Subject: Re: [xsl] xml/xsl character escaping in user entered data
From: Julian Reschke <julian.reschke@xxxxxx>
Date: Sun, 04 Apr 2004 22:27:38 +0200
Hi,

Ken's suggestion will work; note however that it opens a possible security hole where users will be able to insert executable script into the database which will propagate later into the client's browsers. If these are running in a "trusted" security zone (quite common in a company's intranet), it will be able to more or less execute arbitrary code (at least when run IE with active scripting enabled).

I'd recommend to tidy the input into XHTML, and then use XSLT just to copy over those XHTML elements considered "safe" (such as <b>, <i>), filtering out everything else.

Julian

--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760

Current Thread