Re: [xsl] disable-output-escaping not working?

["Henry E. Lee, Jr." <henrylee at spiritwood dot com>]

Julian,

This all sounds good.

1. I did not realize that I was using the wrong namespace. I was going with
the examples in the books/articles I was using. I am just looking for plain
old XML/XSL I think, or should I be using XSLT? This is all a little
overwhelming when you are new to it. I'm a programmer by trade, and I have
to say that XML seems to have more 'standards, namespaces and requirements'
than it does code :P. What namespace(s) do you recommend?

2. Parsing the HTML using TIDY sounds like a good idea. Hopefully not too
much extra work. What is TIDY and where can I find it?

3. XHTML? Hmm, so now I am looking at an XML/XSL/XSLT/TIDY/XHTML solution?
Hehe. Any good references on XHTML? Everytime I try anything with XML, seems
like I have to learn 2 or 3 new related technologies :)

Thanks for the reply!

Hank

----- Original Message -----
From: "Julian Reschke" <julian.reschke@gmx.de>
To: <xsl-list@lists.mulberrytech.com>
Sent: Thursday, July 04, 2002 8:14 AM
Subject: RE: [xsl] disable-output-escaping not working?


> Hi,
>
> first of all, you don't use XSLT (see namespace declaration of your
> stylesheet). d-o-e is an optional feature of XSLT, not "WD-XSL".
>
> Second, if you allow users to enter arbitrary HTML and plan to send that
to
> people looking at the messages, this is a potential security hole because
> the user might enter script tags as well. I'd recommend to parse the HTML
> usinf TIDY, and then to copy only the (X)HTML subset you're willing to
> store. This in turn should be done as proper XHTML markup, not as plain
text
> (then you won't need to disable escaping at all).
>
> Julian
>
> > -----Original Message-----
> > From: owner-xsl-list@lists.mulberrytech.com
> > [mailto:owner-xsl-list@lists.mulberrytech.com]On Behalf Of Henry E. Lee,
> > Jr.
> > Sent: Thursday, July 04, 2002 1:58 PM
> > To: XSL-List@lists.mulberrytech.com
> > Subject: [xsl] disable-output-escaping not working?
> >
> >
> > Hello all,
> >
> > First I would like to say I am new to XML/XSL, please bear with me!
> >
> > Second, I did look through all of the archives before posting, and I did
> > find the solution to my problem, except that part of it does not work.
> >
> > I am creating an application that will use XML/XSL to display data for
> > message boards, news items, etc. As a result, it is imperative
> > that I allow
> > people to insert HTML directly into my XML documents.
> >
> > So far to do this I have tried two different techniques. The first was
to
> > use commenting like so:
> >
> > <message>
> >   <!--
> >   My HTML can go here with line breaks<br>
> >   and <b>bold</b> font.
> >   -->
> > </message>
> >
> > The second technique I tried was the CDATA like so:
> >
> > <message>
> >   <![CDATA[
> >   My HTML can go here with line breaks<br>
> >   and <b>bold</b> font.
> >   ]]>
> > </message>
> >
> > In my XSL document, I have been trying to use
> > disable-output-escaping="yes"
> > but it seems to be getting completely ignored. I have tried using:
> >
> > <?xml version="1.0" ?>
> > <xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl";>
> >   ...
> >   <xsl:value-of select="message/comment()"
disable-output-escaping="yes"/>
> >   ...
> > </xsl:stylesheet>
> >
> > I have also tried a variety of other things as well. Of the ones
> > that work,
> > they all display the HTML without interpreting the tags and such.
> >
> > Thanks so much for the assistance,
> >
> > Hank
> >
> > ----------------------------------------
> > Henry E. Lee, Jr.
> > ----------------------------------------
> >
> >
> >  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
> >
>
>
>  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
>
>
>
>


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list