RE: [xsl] Converting &, >, <, ", and other odd-ball characters...

Subject: RE: [xsl] Converting &, >, <, ", and other odd-ball characters...
From: "Kevin Duffey" <kevin.duffey@xxxxxxxx>
Date: Thu, 15 Feb 2001 10:00:54 -0800
Hi there,

I am sorry..but I don't quite understand your reply. What is a potential
security risk? I thought about using the browser via JavaScript to do
this..the problem is I would have to convert the characters at runtime
before the form is submitted to their proper &esc; sequence. The problem
with that is, we use the data in XML, as well as for other purposes, and we
don't want to store HTML specific character sequences. We want the
server-side to see the actual characters, but only the "view" would see the
HTML specific characters (provided the view is a web browser and not a
teller machine or something like that).

Can you elaborate a bit on what you meant?


> -----Original Message-----
> From: owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of Clapham, Paul
> Sent: Thursday, February 15, 2001 9:17 AM
> To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx
> Subject: RE: [xsl] Converting &, >, <, ", and other odd-ball
> characters...
> It's not just a matter of efficiency.  If your page contains an input box
> for entering my name, and I put in "<b>Paul</b>", and you forget to escape
> the "<" and ">" characters, then when you echo it back, intending to say
> "Hello, Paul!", my name appears in bold-face.
> Not a big deal so far.  But if you give me a big enough input box, I can
> enter an entire Javascript function there, and when you echo that
> back, if I
> do it right, I can get the browser to execute that function.  And it could
> be somebody else's browser where it appears.  In other words, it's a
> potential security issue.
> PC2
> -----Original Message-----
> From: Kevin Duffey [mailto:kevin.duffey@xxxxxxxx]
> Sent: February 15, 2001 08:22
> To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx
> Subject: RE: [xsl] Converting &, >, <, ", and other odd-ball
> characters...
> That is what I did, and it works. I guess when a site is done properly, it
> will handle "less" traffic than if the fields were not escaped? All that
> String processing must eat up time..I mean, if you have 1000
> people all hit
> the same page at the same 1 second period of time, that is x number of
> fields x 1000 requests all being processed through this one method call. I
> made it a static final method to speed things up a bit, but I
> wish there was
> a way to tell the XML parser "if you see & replace it with &amp;, if you
> see...". I take it there is no way at the top of an XML page to
> tell the XML
> parser to convert these characters?
> Thanks again.
>  XSL-List info and archive:

 XSL-List info and archive:

Current Thread