This is the mail archive of the xsl-list@mulberrytech.com mailing list .


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

RE: Converting &, >, <, ", and other odd-ball characters...


It's not just a matter of efficiency.  If your page contains an input box
for entering my name, and I put in "<b>Paul</b>", and you forget to escape
the "<" and ">" characters, then when you echo it back, intending to say
"Hello, Paul!", my name appears in bold-face.

Not a big deal so far.  But if you give me a big enough input box, I can
enter an entire Javascript function there, and when you echo that back, if I
do it right, I can get the browser to execute that function.  And it could
be somebody else's browser where it appears.  In other words, it's a
potential security issue.

PC2

-----Original Message-----
From: Kevin Duffey [mailto:kevin.duffey@home.com]
Sent: February 15, 2001 08:22
To: xsl-list@lists.mulberrytech.com
Subject: RE: [xsl] Converting &, >, <, ", and other odd-ball
characters...


That is what I did, and it works. I guess when a site is done properly, it
will handle "less" traffic than if the fields were not escaped? All that
String processing must eat up time..I mean, if you have 1000 people all hit
the same page at the same 1 second period of time, that is x number of
fields x 1000 requests all being processed through this one method call. I
made it a static final method to speed things up a bit, but I wish there was
a way to tell the XML parser "if you see & replace it with &amp;, if you
see...". I take it there is no way at the top of an XML page to tell the XML
parser to convert these characters?

Thanks again.

 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]