You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xalan.apache.org by bu...@apache.org on 2001/05/02 21:27:50 UTC
[Bug 1604] New - Scriptable HTML attributes need to be returned unescaped
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=1604
*** shadow/1604 Wed May 2 12:27:50 2001
--- shadow/1604.tmp.10445 Wed May 2 12:27:50 2001
***************
*** 0 ****
--- 1,183 ----
+ +============================================================================+
+ | Scriptable HTML attributes need to be returned unescaped |
+ +----------------------------------------------------------------------------+
+ | Bug #: 1604 Product: XalanJ2 |
+ | Status: NEW Version: 2.0.1 |
+ | Resolution: Platform: PC |
+ | Severity: Normal OS/Version: |
+ | Priority: Component: org.apache.xalan.serial |
+ +----------------------------------------------------------------------------+
+ | Assigned To: xalan-dev@xml.apache.org |
+ | Reported By: nvick@capcollege.bc.ca |
+ | CC list: Cc: |
+ +----------------------------------------------------------------------------+
+ | URL: |
+ +============================================================================+
+ | DESCRIPTION |
+ The HTML attribute HREF is returned unescaped (you will see & characters just
+ like that), whereas scriptable attributes, such as ONCLICK, are returned are
+ returned escaped (you will see & and < instead). Therefore, if you use
+ & or < in JavaScript in a scriptable attribute, it will only work in
+ XHTML-aware browsers, and Netscape 4 is not one of them.
+
+ I think that when the output method is HTML, Xalan should return HTML and not
+ XHTML. In any case, there needs to be a way to manually force an attribute to
+ have an unescaped value, or perhaps all HTML attributes should use unescaped
+ values.
+
+ This topic is parially covered in sections 16.2 and 16.4 of the XSLT 1.0
+ recommendation and 1.1 working draft, but some further attention needs to be
+ given to scriptable HTML attributes.
+
+ The following XML and XSL files illustrate my point:
+
+ ***********************
+ [AmpersandProblem.xml]:
+ ***********************
+ <?xml version="1.0"?>
+ <?xml-stylesheet type="text/xsl" href="AmpersandProblem.xsl"?>
+
+ <!DOCTYPE AmpersandProblem [
+ <!ELEMENT AmpersandProblem (#PCDATA)>
+ <!ATTLIST AmpersandProblem
+ attribute1 CDATA #REQUIRED
+ attribute2 CDATA #REQUIRED
+ attribute3 CDATA #REQUIRED
+ >
+ ]>
+
+ <AmpersandProblem attribute1="1" attribute2="2" attribute3="3&more">
+ Ampersand Problem Opening Popup Window with JavaScript.
+ </AmpersandProblem>
+
+
+ ***********************
+ [AmpersandProblem.xsl]:
+ ***********************
+ <?xml version='1.0'?>
+ <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+
+ <xsl:output method="html"/>
+
+ <xsl:template match="/">
+ <HTML>
+ <HEAD>
+ <TITLE>Ampersand Problem</TITLE>
+
+ <SCRIPT LANGUAGE="JavaScript">
+ <![CDATA[
+ function openPneunomicPopup(attribute1, attribute2, attribute3) {
+ var areaPopupWindow = window.open('AmpersandProblem.xml?
+ parameter1=' + attribute1 + '¶meter2=' + attribute2 + '¶meter3=' +
+ attribute3, 'PopupWindow', 'status=yes,scrollbars=yes,resizable=yes,width=200,he
+ ight=350');
+ areaPopupWindow.focus();
+ }
+ ]]>
+ </SCRIPT>
+ </HEAD>
+
+ <BODY>
+ <H1>Ampersand Problem</H1>
+ <P>
+ <I>By <A HREF="mailto:nvick@capcollege.bc.ca">Nathan Vick
+ (nvick@capcollege.bc.ca)</A>, a programmer at Capilano College in North
+ Vancouver, BC, Canada.</I>
+ </P>
+ <BR/>
+
+ <P>
+ Please view the resultant HTML document to compare and contrast the
+ way the <B>&</B> character is output in the <B>HREF</B> and <B>ONCLICK</B>
+ attributes of the <B>A</B> element.
+ The Xalan 2 XSLT processor disables output escaping for the
+ <B>HREF</B> attribute, but not for the <B>ONCLICK</B> attribute.
+ Furthermore, I can find no way, (even in the XSLT recommendation
+ itself) to manually disable output escaping for for an <B>attribute</B>,
+ although you can do so for a <B>text node</B>, as per section 16.4 of the <A
+ HREF="http://www.w3.org/TR/xslt.html#disable-output-escaping">XSLT
+ recomendation 1.0</A> and the <A HREF="http://www.w3.org/TR/xslt11/#disable-
+ output-escaping">XSLT working draft 1.1</A>.
+ </P>
+ <P>
+ Internet Explorer 5.5 is more XHTML aware and does not mind the
+ escaped <B>&amp;</B> in the JavaScript of the <B>ONCLICK</B> attribute of
+ the HTML , but Netscape Navigator 4 requires an unescaped <B>&</B>.
+ I think XSLT should ideally be able to return unescaped values for
+ HTML's scriptable attributes, such as ONCLICK.
+ This would not be an issue if we were returning XHTML or XML from the
+ stylesheet, but we have to support existing browsers (at least version 4+) for
+ a while longer.
+ </P>
+
+ <xsl:for-each select="/AmpersandProblem">
+ <BR/>
+ <P>
+ Intuitive approach fails (the value of the <B>HREF</B> attribute is
+ returned unescaped, whereas the value of the <B>ONCLICK</B> attribute is
+ returned escaped):<BR/>
+ <A HREF="AmpersandProblem.xml?parameter1={@attribute1}
+ &parameter2={@attribute2}&parameter3={@attribute3}"
+ TARGET="_blank"
+ ONCLICK="window.open('AmpersandProblem.xml?parameter1=
+ {@attribute1}&parameter2={@attribute2}&parameter3=
+ {@attribute3}', 'PopupWindow', 'status=yes,scrollbars=yes,resizable=yes,width=20
+ 0,height=350'); return false;">
+ <B><xsl:value-of select="."/></B>
+ </A>
+ </P>
+
+ <P>
+ Workaround 1 fails (an <B>&amp;</B> before a <B>{</B> is
+ supposed to be retured unescaped according to <A
+ HREF="http://www.w3.org/TR/xslt.html#section-HTML-Output-Method">section
+ 16.2</A>):<BR/>
+ <A HREF="AmpersandProblem.xml?parameter1={@attribute1}
+ &parameter2={@attribute2}&parameter3={@attribute3}"
+ TARGET="_blank"
+ ONCLICK="window.open('AmpersandProblem.xml?parameter1=
+ {@attribute1}&{''}parameter2={@attribute2}&{''}parameter3=
+ {@attribute3}', 'PopupWindow', 'status=yes,scrollbars=yes,resizable=yes,width=20
+ 0,height=350'); return false;">
+ <B><xsl:value-of select="."/></B>
+ </A>
+ </P>
+
+ <P>
+ Workaround 2 sort of works, but it is not what we want (an
+ <B>&amp;</B> before a <B>{{</B> is correctly retured unescaped according to
+ <A HREF="http://www.w3.org/TR/xslt.html#section-HTML-Output-Method">section
+ 16.2</A>):<BR/>
+ <A HREF="AmpersandProblem.xml?parameter1={@attribute1}
+ &parameter2={@attribute2}&parameter3={@attribute3}"
+ TARGET="_blank"
+ ONCLICK="window.open('AmpersandProblem.xml?parameter1=
+ {@attribute1}&{{}}parameter2={@attribute2}&{{}}parameter3=
+ {@attribute3}', 'PopupWindow', 'status=yes,scrollbars=yes,resizable=yes,width=20
+ 0,height=350'); return false;">
+ <B><xsl:value-of select="."/></B>
+ </A>
+ </P>
+
+ <P>
+ Workaround 3 works (the contents of a <B>SCRIPT</B> element are
+ returned unescaped as per <A HREF="http://www.w3.org/TR/xslt.html#section-HTML-
+ Output-Method">section 16.2</A>): <BR/>
+ <A HREF="AmpersandProblem.xml?parameter1={@attribute1}
+ &parameter2={@attribute2}&parameter3={@attribute3}"
+ TARGET="_blank"
+ ONCLICK="window.open('AmpersandProblem.xml?parameter1=
+ {@attribute1}&parameter2={@attribute2}&parameter3=
+ {@attribute3}', 'PopupWindow', 'status=yes,scrollbars=yes,resizable=yes,width=20
+ 0,height=350'); return false;">
+ <B><xsl:value-of select="."/></B>
+ </A>
+ </P>
+ </xsl:for-each>
+
+ <BR/>
+ </BODY>
+ </HTML>
+ </xsl:template>
+
+ </xsl:stylesheet>