This is the mail archive of the xsl-list@mulberrytech.com mailing list .


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

RE: Bringing HTML through


#1 happens because the parser thinks you're trying to import a text node and
helpfully escapes <> for you.  I don't know how you're pulling it from the
database, but you'll have to parse it and then import it into the document
you want to transform.  The CDATA section seems like an impediment to what
you want to achieve, esp. if you want to do some filtering on the elements
you're allowing.

For #2, assuming you've got a document like this:

<data>
All this stuff came from my database.
<i>Italics are OK.</i>.
<b>Bold text gets passed on</b>
<a href="http://localhost">This link should be passed on too.</a>
<script>This script doesn't get passed on.</script>
</data>

Then this stylesheet:
<?xml version="1.0"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                version="1.0">
	<xsl:template match="data">
		<body>
		<xsl:copy-of select="i|b|a|text()"/>
		</body>
	</xsl:template>
</xsl:stylesheet>

Produces this output:
<body>
All this stuff came from my database.
<i>Italics are OK.</i>.
<b>Bold text gets passed on</b>
<a href="http://localhost">This link should be passed on too.</a>
</body>

I don't think I'd assume <a> is safe, you can put javascript into the href
attribute.  This gets more complicated if you want to supress the <a>
element but allow the child text node to be displayed, or if you want to
supress certain attributes.  In that case you'd have to set up another
template to match what you're allowing and then use a body like 
<xsl:copy><xsl:apply-templates /></xsl:copy> 
to copy the current node and process the children.  Something like that at
least.

> -----Original Message-----
> From: Ian Sparks [mailto:isparks@wmute.u-net.com]
> Sent: Tuesday, October 17, 2000 9:22 AM
> To: xsl-list@mulberrytech.com
> Subject: Bringing HTML through
> 
> 
> I posted this one to the MSXML newsgroup some time back but 
> so far haven't
> had a response. I'm pleased I signed up to this list since 
> there seem to be
> some real experts here (thanks guys!).
> 
> Hopefully I'll be able to start contributing rather than just asking
> questions soon.
> 
> .....
> 
> I have a problem with bringing XML documents through from a database.
> 
> I want to store the following in my database record :
> 
> "<i>Hello</i>"
> 
> I need to pull this data out, put it into a DOM tree and then 
> pass it to the
> XSL filter for processing. I want to get the same structure 
> carried through
> into my resulting HTML file (so "Hello" appears in italics).
> 
> Problem #1 : As soon as I load the text "<i>Hello</i>" as
> the text of a node it gets transformed into 
> &lt;i;&gt;Hello... style. Not
> what I want.
> 
> Problem #2 : Lets say I put this data into a CDATA section to carry it
> through, I still can't work out how to pull the contents of 
> that section out
> and have it carried through to my HTML without it getting 
> transformed into
> &lt;i;&gt;Hello...
> 
> For security reasons I might want to limit the tags that can be
> carried-through in this way (maybe allowing italic, bold, 
> HREFs etc but
> disallowing script or anything potentially malicious).
> 
> All insight appreciated. I suspect xsl:copy is involved but I 
> can't work it
> out!
> 
> - Ian Sparks.
> 
> 
> 
>  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
> 


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]