XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[Home] [By Thread] [By Date] [Recent Entries]

Subject: Re: xml/xsl character escaping in user entered data
From: Julian Reschke <julian.reschke@xxxxxx>
Date: Sun, 04 Apr 2004 22:27:38 +0200
Hi,

Ken's suggestion will work; note however that it opens a possible security hole where users will be able to insert executable script into the database which will propagate later into the client's browsers. If these are running in a "trusted" security zone (quite common in a company's intranet), it will be able to more or less execute arbitrary code (at least when run IE with active scripting enabled).

I'd recommend to tidy the input into XHTML, and then use XSLT just to copy over those XHTML elements considered "safe" (such as <b>, <i>), filtering out everything else.

Julian

--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760

Current Thread
<- PreviousIndexNext ->
Re: xml/xsl character escapin, G. Ken Holman Thread XSL Template Designer V1.0 re, Kazumi Hara
Re: xml/xsl character escapin, G. Ken Holman Date RE: Saxon & Fallback from doc, David . Pawson
Month

XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member