You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xalan.apache.org by bu...@apache.org on 2001/11/21 22:19:58 UTC

DO NOT REPLY [Bug 1403] - xsltc has problems with output escaping

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=1403>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=1403

xsltc has problems with output escaping

tom.amiro@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|VERIFIED                    |REOPENED
         Resolution|FIXED                       |



------- Additional Comments From tom.amiro@sun.com  2001-11-21 13:19 -------
As we discussed, we need to make sure that in HTML attributes that 
the < and > chars are not escaped, because Javascript may be written 
to an attribute, such as the onClick attribute.

I also did some testing on this fix and found other problems. Tried 
to plug an ATV in an HTML attribute and nothing was returned. Also,
tried to create an html attribute using <xsl:attribute> and again 
the output was null. 

Here is the output from Xalan (which looks good) and XSLT showing the 
aforementioned problems on a test called bug4845.

Running xalan on bug4845
<html>
<body>
<form>
  Create input field using xsl:attribute to create attributes -- escaping
off<br>
<input type="text" value-of_esc_yes="The &quot;Rotary&quot; 5M/2.4M <Road> Race"
text_esc_yes=" real &quot; and escaped &quot; less than < and greater than >">
<p>
      LRE with disable-output-escaping=yes<br>
      value-of The "Rotary" 5M/2.4M <Road> Race<br>
      text  real " and escaped " less than < and greater than ><br>
</p>
  Create input field using xsl:attribute to create attributes -- escaping on<br>
<input type="text" value-of_esc_no="The &quot;Rotary&quot; 5M/2.4M <Road> Race"
text_esc_no=" real &quot; and escaped &quot; less than < and greater than >">
<p>
      LRE with disable-output-escaping=yes<br>
      value-of The "Rotary" 5M/2.4M <Road> Race<br>
      text  real " and escaped " less than < and greater than ><br>
</p>
  Create input field with value taken from an ATV<br>
<input value="The &quot;Rotary&quot; 5M/2.4M <Road> Race" name="atv"
type="text">
</form>
</body>
</html>

Running XSLTC with Xerces Parser on bug4845
<html>
  <body>
    <form>
  Create input field using xsl:attribute to create attributes -- escaping
off<br><input>
      <p>
      LRE with disable-output-escaping=yes<br>
      value-of The "Rotary" 5M/2.4M <Road> Race<br>
      text  real " and escaped " less than < and greater than ><br>
      </p>
  Create input field using xsl:attribute to create attributes -- escaping
on<br><input>
      <p>
      LRE with disable-output-escaping=yes<br>
      value-of The "Rotary" 5M/2.4M <Road> Race<br>
      text  real " and escaped " less than < and greater than ><br>
      </p>
  Create input field with value taken from an ATV<br><input>
    </form>
  </body>
</html>


bug4845.xsl
-----------
<?xml version="1.0" ?>
<xsl:stylesheet version="1.0"
                xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:output method="html" />

<xsl:template match="calendar">
<html>
<body>
<form>
  Create input field using xsl:attribute to create attributes -- escaping
off<br/>
  <input type="text">
    <xsl:attribute name="value-of_esc_yes">
      <xsl:value-of disable-output-escaping="yes" select="entry/name"/>
    </xsl:attribute>
    <xsl:attribute name="text_esc_yes">
      <xsl:text disable-output-escaping="yes"> real " and escaped &quot; less
than &lt; and greater than &gt;</xsl:text>
    </xsl:attribute>
  </input>
  <p>
      LRE with disable-output-escaping=yes<br/>
      value-of <xsl:value-of disable-output-escaping="yes"
select="entry/name"/><br/>
      text <xsl:text disable-output-escaping="yes"> real " and escaped &quot;
less than &lt; and greater than &gt;</xsl:text><br/>
  </p>
  Create input field using xsl:attribute to create attributes -- escaping
on<br/>
  <input type="text">
    <xsl:attribute name="value-of_esc_no">
      <xsl:value-of disable-output-escaping="no" select="entry/name"/>
    </xsl:attribute>
    <xsl:attribute name="text_esc_no">
      <xsl:text disable-output-escaping="no"> real " and escaped &quot; less
than &lt; and greater than &gt;</xsl:text>
    </xsl:attribute>
  </input>
  <p>
      LRE with disable-output-escaping=yes<br/>
      value-of <xsl:value-of disable-output-escaping="yes"
select="entry/name"/><br/>
      text <xsl:text disable-output-escaping="yes"> real " and escaped &quot;
less than &lt; and greater than &gt;</xsl:text><br/>
  </p>
  Create input field with value taken from an ATV<br/>
  <input type="text" name="atv" value="{entry/name}"></input>
</form>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

bug4845.xml
-----------
<?xml version="1.0" encoding="utf-8" ?>
<calendar>
<entry>
<name>The &quot;Rotary&quot; 5M/2.4M &lt;Road&gt; Race</name>
</entry>
</calendar>