XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[Home] [By Thread] [By Date] [Recent Entries]

Subject: Re: What data needs to be enclosed in CDATA tags?
From: Gustave Stresen-Reuter <tedmasterweb@xxxxxxx>
Date: Wed, 28 Sep 2005 22:13:04 +0100
On Sep 28, 2005, at 9:42 PM, David Carlisle wrote:


If I'm storing data that may contain encoded versions of <>&" and ', do
I need to store that data in CDATA sections or am I misunderstanding
the role of CDATA?

I'm not sure what you mean, but don't (try to) use entities _amd_ CDATA.

I'm working on a site documentation system that allows users to submit data about the current page. The data _could_ contain such characters and I was debating whether or not to convert them prior to committing them to the XML file. A web developer once told me to always store exactly what the users enter and this was one area where I thought there could be some problems...

And this brings up an interesting potential security violation. If these characters weren't escaped, users could do something similar to the javascript cross-site scripting exploit. I don't know exactly what, but I could imagine that they could submit a link to a stylesheet on their own server that returns the contents of the XML file that this data is stored in.

Thanks a lot for the clarification on the use of CDATA section.

Ted

Current Thread
<- PreviousIndexNext ->
Re: What data needs to be enc, David Carlisle Thread [no subject], Unknown
Re: What data needs to be enc, David Carlisle Date [no subject], Unknown
Month

XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member