RE: [xsl] Converting &, >, <, ", and other odd-ball characters...

Subject: RE: [xsl] Converting &, >, <, ", and other odd-ball characters...
From: "Clapham, Paul" <pclapham@xxxxxxxxxxxxx>
Date: Thu, 15 Feb 2001 09:16:45 -0800
It's not just a matter of efficiency.  If your page contains an input box
for entering my name, and I put in "<b>Paul</b>", and you forget to escape
the "<" and ">" characters, then when you echo it back, intending to say
"Hello, Paul!", my name appears in bold-face.

Not a big deal so far.  But if you give me a big enough input box, I can
enter an entire Javascript function there, and when you echo that back, if I
do it right, I can get the browser to execute that function.  And it could
be somebody else's browser where it appears.  In other words, it's a
potential security issue.


-----Original Message-----
From: Kevin Duffey [mailto:kevin.duffey@xxxxxxxx]
Sent: February 15, 2001 08:22
To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx
Subject: RE: [xsl] Converting &, >, <, ", and other odd-ball

That is what I did, and it works. I guess when a site is done properly, it
will handle "less" traffic than if the fields were not escaped? All that
String processing must eat up time..I mean, if you have 1000 people all hit
the same page at the same 1 second period of time, that is x number of
fields x 1000 requests all being processed through this one method call. I
made it a static final method to speed things up a bit, but I wish there was
a way to tell the XML parser "if you see & replace it with &amp;, if you
see...". I take it there is no way at the top of an XML page to tell the XML
parser to convert these characters?

Thanks again.

 XSL-List info and archive:

Current Thread