[ http://nagoya.apache.org/jira/browse/XALANJ-123?page=history ]
Henry Zongaro updated XALANJ-123:
---------------------------------
Assign To: (was: Xalan Developers Mailing List)
type: Improvement (was: Bug)
Description:
Xalan automatically escapes the contents of the HREF attribute on an anchor tag.
This escaping causes the script code to me modified, resulting in the script
either not working at all, or producing erroneous output. The following is a
simple example of this problem:
Given this XML:
<?xml version="1.0" encoding="UTF-8"?>
<root/>
and this stylesheet:
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0">
<xsl:output method="html" media-type="text/html" indent="no"/>
<xsl:template match="/root">
<html>
<head>
<script language="JavaScript" type="text/javascript">
function sendMessage(string1, string2) {
alert(string1 + string2);
}
</script>
</head>
<body>
<a href="javascript:sendMessage
('hello ', 'world')">Send Message</a><br/>
<a href="javascript:sendMessage('hello ','world')">Send
Message2</a>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
The link should look like this:
<a href="javascript:sendMessage('hello ', 'world')">Send Message</a>
Xalan renders this line like:
<a href="javascript:sendMessage('hello%20',%20'world')">Send
Message</a>
When you click on the link in Netscape, nothing happens.
If you remove the space between the arguments like this:
<a href="javascript:sendMessage('hello ','world')">Send Message2</a>
Xalan will encode it like this:
<a href="javascript:sendMessage('hello%20','world')">Send Message2</a>
Clicking on the link will result in an alert dialog box displaying the
text "hello%20world", instead of "hello world".
As you can see, depending on how the JavaScript is written, the link will
either not function at all, or will display the wrong data to the user.
While the XSLT specification recognizes that escaping should not be performed
on the contents of an <script> or <style> tag, it does not take in to account
that many web developers use links to run their scripts.
Would it be possible to implement a change to Xalan that would modify
xsl:output to use xalan:escape-urls="no" to turn the escaping off for specific
prefixes. The prefixes could be specified using something like xalan:ignore-
prefix="prefix1,prefix2,..." or maybe list each prefix individually using
multiple xalan:ignore-prefix statements. The default Xalan behavior would be to
always escape URLs, unless xalan:escape-urls="no" was specified in the
stylesheet. This would ensure that Xalan would remain standards compliant,
while providing the flexibility that scripters need.
By taking this approach, Xalan would not have to keep a list of all possible
prefixes for exclusion. It would only look for the prefixes each user specifies
with xalan:ignore-prefix. Each clients' performance would not be impacted by
searching for prefixes that they do not use. It would also prevent Xalan from
having to have multiple attributes for different scripts, like xalan:escape-
javascript-urls, xalan:escape-visualbasic-urls, etc. I'm not sure if ignore-
prefix is a good name, but the concept is to specify the prefix(es) that would
indicate to Xalan that it should not escape that URL.
NOTE: I have written to the W3C about making provisions in the XSLT
specification to recognize this issue.
Please refer to [EMAIL PROTECTED] for an in-depth discussion of this
issue.
was:
Xalan automatically escapes the contents of the HREF attribute on an anchor tag.
This escaping causes the script code to me modified, resulting in the script
either not working at all, or producing erroneous output. The following is a
simple example of this problem:
Given this XML:
<?xml version="1.0" encoding="UTF-8"?>
<root/>
and this stylesheet:
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0">
<xsl:output method="html" media-type="text/html" indent="no"/>
<xsl:template match="/root">
<html>
<head>
<script language="JavaScript" type="text/javascript">
function sendMessage(string1, string2) {
alert(string1 + string2);
}
</script>
</head>
<body>
<a href="javascript:sendMessage
('hello ', 'world')">Send Message</a><br/>
<a href="javascript:sendMessage('hello ','world')">Send
Message2</a>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
The link should look like this:
<a href="javascript:sendMessage('hello ', 'world')">Send Message</a>
Xalan renders this line like:
<a href="javascript:sendMessage('hello%20',%20'world')">Send
Message</a>
When you click on the link in Netscape, nothing happens.
If you remove the space between the arguments like this:
<a href="javascript:sendMessage('hello ','world')">Send Message2</a>
Xalan will encode it like this:
<a href="javascript:sendMessage('hello%20','world')">Send Message2</a>
Clicking on the link will result in an alert dialog box displaying the
text "hello%20world", instead of "hello world".
As you can see, depending on how the JavaScript is written, the link will
either not function at all, or will display the wrong data to the user.
While the XSLT specification recognizes that escaping should not be performed
on the contents of an <script> or <style> tag, it does not take in to account
that many web developers use links to run their scripts.
Would it be possible to implement a change to Xalan that would modify
xsl:output to use xalan:escape-urls="no" to turn the escaping off for specific
prefixes. The prefixes could be specified using something like xalan:ignore-
prefix="prefix1,prefix2,..." or maybe list each prefix individually using
multiple xalan:ignore-prefix statements. The default Xalan behavior would be to
always escape URLs, unless xalan:escape-urls="no" was specified in the
stylesheet. This would ensure that Xalan would remain standards compliant,
while providing the flexibility that scripters need.
By taking this approach, Xalan would not have to keep a list of all possible
prefixes for exclusion. It would only look for the prefixes each user specifies
with xalan:ignore-prefix. Each clients' performance would not be impacted by
searching for prefixes that they do not use. It would also prevent Xalan from
having to have multiple attributes for different scripts, like xalan:escape-
javascript-urls, xalan:escape-visualbasic-urls, etc. I'm not sure if ignore-
prefix is a good name, but the concept is to specify the prefix(es) that would
indicate to Xalan that it should not escape that URL.
NOTE: I have written to the W3C about making provisions in the XSLT
specification to recognize this issue.
Please refer to [EMAIL PROTECTED] for an in-depth discussion of this
issue.
Environment:
Operating System: All
Platform: PC
was:
Operating System: All
Platform: PC
Priority: Major
Bugzilla Id: (was: 1311)
> Problem with url encoding and script-based function calls
> ---------------------------------------------------------
>
> Key: XALANJ-123
> URL: http://nagoya.apache.org/jira/browse/XALANJ-123
> Project: XalanJ2
> Type: Improvement
> Components: Xalan
> Versions: 2.0.1
> Environment: Operating System: All
> Platform: PC
> Reporter: Dale Byington
>
> Xalan automatically escapes the contents of the HREF attribute on an anchor
> tag.
> This escaping causes the script code to me modified, resulting in the script
> either not working at all, or producing erroneous output. The following is a
> simple example of this problem:
> Given this XML:
> <?xml version="1.0" encoding="UTF-8"?>
> <root/>
> and this stylesheet:
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
> version="1.0">
> <xsl:output method="html" media-type="text/html" indent="no"/>
> <xsl:template match="/root">
> <html>
> <head>
> <script language="JavaScript" type="text/javascript">
> function sendMessage(string1, string2) {
> alert(string1 + string2);
> }
> </script>
> </head>
> <body>
> <a href="javascript:sendMessage
> ('hello ', 'world')">Send Message</a><br/>
> <a href="javascript:sendMessage('hello
> ','world')">Send
> Message2</a>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> The link should look like this:
> <a href="javascript:sendMessage('hello ', 'world')">Send Message</a>
> Xalan renders this line like:
> <a href="javascript:sendMessage('hello%20',%20'world')">Send
> Message</a>
> When you click on the link in Netscape, nothing happens.
> If you remove the space between the arguments like this:
> <a href="javascript:sendMessage('hello ','world')">Send Message2</a>
> Xalan will encode it like this:
> <a href="javascript:sendMessage('hello%20','world')">Send
> Message2</a>
> Clicking on the link will result in an alert dialog box displaying the
> text "hello%20world", instead of "hello world".
> As you can see, depending on how the JavaScript is written, the link will
> either not function at all, or will display the wrong data to the user.
> While the XSLT specification recognizes that escaping should not be performed
> on the contents of an <script> or <style> tag, it does not take in to account
> that many web developers use links to run their scripts.
> Would it be possible to implement a change to Xalan that would modify
> xsl:output to use xalan:escape-urls="no" to turn the escaping off for
> specific
> prefixes. The prefixes could be specified using something like xalan:ignore-
> prefix="prefix1,prefix2,..." or maybe list each prefix individually using
> multiple xalan:ignore-prefix statements. The default Xalan behavior would be
> to
> always escape URLs, unless xalan:escape-urls="no" was specified in the
> stylesheet. This would ensure that Xalan would remain standards compliant,
> while providing the flexibility that scripters need.
> By taking this approach, Xalan would not have to keep a list of all possible
> prefixes for exclusion. It would only look for the prefixes each user
> specifies
> with xalan:ignore-prefix. Each clients' performance would not be impacted by
> searching for prefixes that they do not use. It would also prevent Xalan from
> having to have multiple attributes for different scripts, like xalan:escape-
> javascript-urls, xalan:escape-visualbasic-urls, etc. I'm not sure if ignore-
> prefix is a good name, but the concept is to specify the prefix(es) that
> would
> indicate to Xalan that it should not escape that URL.
> NOTE: I have written to the W3C about making provisions in the XSLT
> specification to recognize this issue.
> Please refer to [EMAIL PROTECTED] for an in-depth discussion of this
> issue.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
