[ http://nagoya.apache.org/jira/browse/XALANJ-207?page=history ]
Henry Zongaro updated XALANJ-207:
---------------------------------
Assign To: (was: Xalan Developers Mailing List)
type: Improvement (was: Bug)
Description:
The HTML attribute HREF is returned unescaped (you will see & characters just
like that), whereas scriptable attributes, such as ONCLICK, are returned are
returned escaped (you will see & and < instead). Therefore, if you use
& or < in JavaScript in a scriptable attribute, it will only work in
XHTML-aware browsers, and Netscape 4 is not one of them.
I think that when the output method is HTML, Xalan should return HTML and not
XHTML. In any case, there needs to be a way to manually force an attribute to
have an unescaped value, or perhaps all HTML attributes should use unescaped
values.
This topic is parially covered in sections 16.2 and 16.4 of the XSLT 1.0
recommendation and 1.1 working draft, but some further attention needs to be
given to scriptable HTML attributes.
The following XML and XSL files illustrate my point:
***********************
[AmpersandProblem.xml]:
***********************
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="AmpersandProblem.xsl"?>
<!DOCTYPE AmpersandProblem [
<!ELEMENT AmpersandProblem (#PCDATA)>
<!ATTLIST AmpersandProblem
attribute1 CDATA #REQUIRED
attribute2 CDATA #REQUIRED
attribute3 CDATA #REQUIRED
>
]>
<AmpersandProblem attribute1="1" attribute2="2" attribute3="3&more">
Ampersand Problem Opening Popup Window with JavaScript.
</AmpersandProblem>
***********************
[AmpersandProblem.xsl]:
***********************
<?xml version='1.0'?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0">
<xsl:output method="html"/>
<xsl:template match="/">
<HTML>
<HEAD>
<TITLE>Ampersand Problem</TITLE>
<SCRIPT LANGUAGE="JavaScript">
<![CDATA[
function openPneunomicPopup(attribute1, attribute2, attribute3) {
var areaPopupWindow = window.open('AmpersandProblem.xml?
parameter1=' + attribute1 + '¶meter2=' + attribute2 + '¶meter3=' +
attribute3, 'PopupWindow', 'status=yes,scrollbars=yes,resizable=yes,width=200,he
ight=350');
areaPopupWindow.focus();
}
]]>
</SCRIPT>
</HEAD>
<BODY>
<H1>Ampersand Problem</H1>
<P>
<I>By <A HREF="mailto:[EMAIL PROTECTED]">Nathan Vick
([EMAIL PROTECTED])</A>, a programmer at Capilano College in North
Vancouver, BC, Canada.</I>
</P>
<BR/>
<P>
Please view the resultant HTML document to compare and contrast the
way the <B>&</B> character is output in the <B>HREF</B> and <B>ONCLICK</B>
attributes of the <B>A</B> element.
The Xalan 2 XSLT processor disables output escaping for the
<B>HREF</B> attribute, but not for the <B>ONCLICK</B> attribute.
Furthermore, I can find no way, (even in the XSLT recommendation
itself) to manually disable output escaping for for an <B>attribute</B>,
although you can do so for a <B>text node</B>, as per section 16.4 of the <A
HREF="http://www.w3.org/TR/xslt.html#disable-output-escaping";>XSLT
recomendation 1.0</A> and the <A HREF="http://www.w3.org/TR/xslt11/#disable-
output-escaping">XSLT working draft 1.1</A>.
</P>
<P>
Internet Explorer 5.5 is more XHTML aware and does not mind the
escaped <B>&amp;</B> in the JavaScript of the <B>ONCLICK</B> attribute of
the HTML , but Netscape Navigator 4 requires an unescaped <B>&</B>.
I think XSLT should ideally be able to return unescaped values for
HTML's scriptable attributes, such as ONCLICK.
This would not be an issue if we were returning XHTML or XML from the
stylesheet, but we have to support existing browsers (at least version 4+) for
a while longer.
</P>
<xsl:for-each select="/AmpersandProblem">
<BR/>
<P>
Intuitive approach fails (the value of the <B>HREF</B> attribute is
returned unescaped, whereas the value of the <B>ONCLICK</B> attribute is
returned escaped):<BR/>
<A HREF="[EMAIL PROTECTED]
&[EMAIL PROTECTED]&[EMAIL PROTECTED]"
TARGET="_blank"
ONCLICK="window.open('AmpersandProblem.xml?parameter1=
[EMAIL PROTECTED]&[EMAIL PROTECTED]&parameter3=
[EMAIL PROTECTED]', 'PopupWindow',
'status=yes,scrollbars=yes,resizable=yes,width=20
0,height=350'); return false;">
<B><xsl:value-of select="."/></B>
</A>
</P>
<P>
Workaround 1 fails (an <B>&amp;</B> before a <B>{</B> is
supposed to be retured unescaped according to <A
HREF="http://www.w3.org/TR/xslt.html#section-HTML-Output-Method";>section
16.2</A>):<BR/>
<A HREF="[EMAIL PROTECTED]
&[EMAIL PROTECTED]&[EMAIL PROTECTED]"
TARGET="_blank"
ONCLICK="window.open('AmpersandProblem.xml?parameter1=
[EMAIL PROTECTED]&{''[EMAIL PROTECTED]&{''}parameter3=
[EMAIL PROTECTED]', 'PopupWindow',
'status=yes,scrollbars=yes,resizable=yes,width=20
0,height=350'); return false;">
<B><xsl:value-of select="."/></B>
</A>
</P>
<P>
Workaround 2 sort of works, but it is not what we want (an
<B>&amp;</B> before a <B>{{</B> is correctly retured unescaped according to
<A HREF="http://www.w3.org/TR/xslt.html#section-HTML-Output-Method";>section
16.2</A>):<BR/>
<A HREF="[EMAIL PROTECTED]
&[EMAIL PROTECTED]&[EMAIL PROTECTED]"
TARGET="_blank"
ONCLICK="window.open('AmpersandProblem.xml?parameter1=
[EMAIL PROTECTED]&[EMAIL PROTECTED]&{{}}parameter3=
[EMAIL PROTECTED]', 'PopupWindow',
'status=yes,scrollbars=yes,resizable=yes,width=20
0,height=350'); return false;">
<B><xsl:value-of select="."/></B>
</A>
</P>
<P>
Workaround 3 works (the contents of a <B>SCRIPT</B> element are
returned unescaped as per <A HREF="http://www.w3.org/TR/xslt.html#section-HTML-
Output-Method">section 16.2</A>): <BR/>
<A HREF="[EMAIL PROTECTED]
&[EMAIL PROTECTED]&[EMAIL PROTECTED]"
TARGET="_blank"
ONCLICK="window.open('AmpersandProblem.xml?parameter1=
[EMAIL PROTECTED]&[EMAIL PROTECTED]&parameter3=
[EMAIL PROTECTED]', 'PopupWindow',
'status=yes,scrollbars=yes,resizable=yes,width=20
0,height=350'); return false;">
<B><xsl:value-of select="."/></B>
</A>
</P>
</xsl:for-each>
<BR/>
</BODY>
</HTML>
</xsl:template>
</xsl:stylesheet>
was:
The HTML attribute HREF is returned unescaped (you will see & characters just
like that), whereas scriptable attributes, such as ONCLICK, are returned are
returned escaped (you will see & and < instead). Therefore, if you use
& or < in JavaScript in a scriptable attribute, it will only work in
XHTML-aware browsers, and Netscape 4 is not one of them.
I think that when the output method is HTML, Xalan should return HTML and not
XHTML. In any case, there needs to be a way to manually force an attribute to
have an unescaped value, or perhaps all HTML attributes should use unescaped
values.
This topic is parially covered in sections 16.2 and 16.4 of the XSLT 1.0
recommendation and 1.1 working draft, but some further attention needs to be
given to scriptable HTML attributes.
The following XML and XSL files illustrate my point:
***********************
[AmpersandProblem.xml]:
***********************
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="AmpersandProblem.xsl"?>
<!DOCTYPE AmpersandProblem [
<!ELEMENT AmpersandProblem (#PCDATA)>
<!ATTLIST AmpersandProblem
attribute1 CDATA #REQUIRED
attribute2 CDATA #REQUIRED
attribute3 CDATA #REQUIRED
>
]>
<AmpersandProblem attribute1="1" attribute2="2" attribute3="3&more">
Ampersand Problem Opening Popup Window with JavaScript.
</AmpersandProblem>
***********************
[AmpersandProblem.xsl]:
***********************
<?xml version='1.0'?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0">
<xsl:output method="html"/>
<xsl:template match="/">
<HTML>
<HEAD>
<TITLE>Ampersand Problem</TITLE>
<SCRIPT LANGUAGE="JavaScript">
<![CDATA[
function openPneunomicPopup(attribute1, attribute2, attribute3) {
var areaPopupWindow = window.open('AmpersandProblem.xml?
parameter1=' + attribute1 + '¶meter2=' + attribute2 + '¶meter3=' +
attribute3, 'PopupWindow', 'status=yes,scrollbars=yes,resizable=yes,width=200,he
ight=350');
areaPopupWindow.focus();
}
]]>
</SCRIPT>
</HEAD>
<BODY>
<H1>Ampersand Problem</H1>
<P>
<I>By <A HREF="mailto:[EMAIL PROTECTED]">Nathan Vick
([EMAIL PROTECTED])</A>, a programmer at Capilano College in North
Vancouver, BC, Canada.</I>
</P>
<BR/>
<P>
Please view the resultant HTML document to compare and contrast the
way the <B>&</B> character is output in the <B>HREF</B> and <B>ONCLICK</B>
attributes of the <B>A</B> element.
The Xalan 2 XSLT processor disables output escaping for the
<B>HREF</B> attribute, but not for the <B>ONCLICK</B> attribute.
Furthermore, I can find no way, (even in the XSLT recommendation
itself) to manually disable output escaping for for an <B>attribute</B>,
although you can do so for a <B>text node</B>, as per section 16.4 of the <A
HREF="http://www.w3.org/TR/xslt.html#disable-output-escaping";>XSLT
recomendation 1.0</A> and the <A HREF="http://www.w3.org/TR/xslt11/#disable-
output-escaping">XSLT working draft 1.1</A>.
</P>
<P>
Internet Explorer 5.5 is more XHTML aware and does not mind the
escaped <B>&amp;</B> in the JavaScript of the <B>ONCLICK</B> attribute of
the HTML , but Netscape Navigator 4 requires an unescaped <B>&</B>.
I think XSLT should ideally be able to return unescaped values for
HTML's scriptable attributes, such as ONCLICK.
This would not be an issue if we were returning XHTML or XML from the
stylesheet, but we have to support existing browsers (at least version 4+) for
a while longer.
</P>
<xsl:for-each select="/AmpersandProblem">
<BR/>
<P>
Intuitive approach fails (the value of the <B>HREF</B> attribute is
returned unescaped, whereas the value of the <B>ONCLICK</B> attribute is
returned escaped):<BR/>
<A HREF="[EMAIL PROTECTED]
&[EMAIL PROTECTED]&[EMAIL PROTECTED]"
TARGET="_blank"
ONCLICK="window.open('AmpersandProblem.xml?parameter1=
[EMAIL PROTECTED]&[EMAIL PROTECTED]&parameter3=
[EMAIL PROTECTED]', 'PopupWindow',
'status=yes,scrollbars=yes,resizable=yes,width=20
0,height=350'); return false;">
<B><xsl:value-of select="."/></B>
</A>
</P>
<P>
Workaround 1 fails (an <B>&amp;</B> before a <B>{</B> is
supposed to be retured unescaped according to <A
HREF="http://www.w3.org/TR/xslt.html#section-HTML-Output-Method";>section
16.2</A>):<BR/>
<A HREF="[EMAIL PROTECTED]
&[EMAIL PROTECTED]&[EMAIL PROTECTED]"
TARGET="_blank"
ONCLICK="window.open('AmpersandProblem.xml?parameter1=
[EMAIL PROTECTED]&{''[EMAIL PROTECTED]&{''}parameter3=
[EMAIL PROTECTED]', 'PopupWindow',
'status=yes,scrollbars=yes,resizable=yes,width=20
0,height=350'); return false;">
<B><xsl:value-of select="."/></B>
</A>
</P>
<P>
Workaround 2 sort of works, but it is not what we want (an
<B>&amp;</B> before a <B>{{</B> is correctly retured unescaped according to
<A HREF="http://www.w3.org/TR/xslt.html#section-HTML-Output-Method";>section
16.2</A>):<BR/>
<A HREF="[EMAIL PROTECTED]
&[EMAIL PROTECTED]&[EMAIL PROTECTED]"
TARGET="_blank"
ONCLICK="window.open('AmpersandProblem.xml?parameter1=
[EMAIL PROTECTED]&[EMAIL PROTECTED]&{{}}parameter3=
[EMAIL PROTECTED]', 'PopupWindow',
'status=yes,scrollbars=yes,resizable=yes,width=20
0,height=350'); return false;">
<B><xsl:value-of select="."/></B>
</A>
</P>
<P>
Workaround 3 works (the contents of a <B>SCRIPT</B> element are
returned unescaped as per <A HREF="http://www.w3.org/TR/xslt.html#section-HTML-
Output-Method">section 16.2</A>): <BR/>
<A HREF="[EMAIL PROTECTED]
&[EMAIL PROTECTED]&[EMAIL PROTECTED]"
TARGET="_blank"
ONCLICK="window.open('AmpersandProblem.xml?parameter1=
[EMAIL PROTECTED]&[EMAIL PROTECTED]&parameter3=
[EMAIL PROTECTED]', 'PopupWindow',
'status=yes,scrollbars=yes,resizable=yes,width=20
0,height=350'); return false;">
<B><xsl:value-of select="."/></B>
</A>
</P>
</xsl:for-each>
<BR/>
</BODY>
</HTML>
</xsl:template>
</xsl:stylesheet>
Environment:
Operating System: All
Platform: PC
was:
Operating System: All
Platform: PC
Priority: Major
Bugzilla Id: (was: 1604)
> Scriptable HTML attributes need to be returned unescaped
> --------------------------------------------------------
>
> Key: XALANJ-207
> URL: http://nagoya.apache.org/jira/browse/XALANJ-207
> Project: XalanJ2
> Type: Improvement
> Components: Serialization
> Versions: 2.0.1
> Environment: Operating System: All
> Platform: PC
> Reporter: Nathan Vick
>
> The HTML attribute HREF is returned unescaped (you will see & characters just
> like that), whereas scriptable attributes, such as ONCLICK, are returned are
> returned escaped (you will see & and < instead). Therefore, if you use
> & or < in JavaScript in a scriptable attribute, it will only work in
> XHTML-aware browsers, and Netscape 4 is not one of them.
> I think that when the output method is HTML, Xalan should return HTML and not
> XHTML. In any case, there needs to be a way to manually force an attribute to
> have an unescaped value, or perhaps all HTML attributes should use unescaped
> values.
> This topic is parially covered in sections 16.2 and 16.4 of the XSLT 1.0
> recommendation and 1.1 working draft, but some further attention needs to be
> given to scriptable HTML attributes.
> The following XML and XSL files illustrate my point:
> ***********************
> [AmpersandProblem.xml]:
> ***********************
> <?xml version="1.0"?>
> <?xml-stylesheet type="text/xsl" href="AmpersandProblem.xsl"?>
> <!DOCTYPE AmpersandProblem [
> <!ELEMENT AmpersandProblem (#PCDATA)>
> <!ATTLIST AmpersandProblem
> attribute1 CDATA #REQUIRED
> attribute2 CDATA #REQUIRED
> attribute3 CDATA #REQUIRED
> >
> ]>
> <AmpersandProblem attribute1="1" attribute2="2" attribute3="3&more">
> Ampersand Problem Opening Popup Window with JavaScript.
> </AmpersandProblem>
> ***********************
> [AmpersandProblem.xsl]:
> ***********************
> <?xml version='1.0'?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
> version="1.0">
> <xsl:output method="html"/>
> <xsl:template match="/">
> <HTML>
> <HEAD>
> <TITLE>Ampersand Problem</TITLE>
> <SCRIPT LANGUAGE="JavaScript">
> <![CDATA[
> function openPneunomicPopup(attribute1, attribute2, attribute3) {
> var areaPopupWindow = window.open('AmpersandProblem.xml?
> parameter1=' + attribute1 + '¶meter2=' + attribute2 + '¶meter3=' +
> attribute3, 'PopupWindow',
> 'status=yes,scrollbars=yes,resizable=yes,width=200,he
> ight=350');
> areaPopupWindow.focus();
> }
> ]]>
> </SCRIPT>
> </HEAD>
>
> <BODY>
> <H1>Ampersand Problem</H1>
> <P>
> <I>By <A HREF="mailto:[EMAIL PROTECTED]">Nathan Vick
> ([EMAIL PROTECTED])</A>, a programmer at Capilano College in North
> Vancouver, BC, Canada.</I>
> </P>
> <BR/>
>
> <P>
> Please view the resultant HTML document to compare and contrast the
> way the <B>&</B> character is output in the <B>HREF</B> and
> <B>ONCLICK</B>
> attributes of the <B>A</B> element.
> The Xalan 2 XSLT processor disables output escaping for the
> <B>HREF</B> attribute, but not for the <B>ONCLICK</B> attribute.
> Furthermore, I can find no way, (even in the XSLT recommendation
> itself) to manually disable output escaping for for an <B>attribute</B>,
> although you can do so for a <B>text node</B>, as per section 16.4 of the <A
> HREF="http://www.w3.org/TR/xslt.html#disable-output-escaping";>XSLT
> recomendation 1.0</A> and the <A HREF="http://www.w3.org/TR/xslt11/#disable-
> output-escaping">XSLT working draft 1.1</A>.
> </P>
> <P>
> Internet Explorer 5.5 is more XHTML aware and does not mind the
> escaped <B>&amp;</B> in the JavaScript of the <B>ONCLICK</B> attribute of
> the HTML , but Netscape Navigator 4 requires an unescaped <B>&</B>.
> I think XSLT should ideally be able to return unescaped values for
> HTML's scriptable attributes, such as ONCLICK.
> This would not be an issue if we were returning XHTML or XML from
> the
> stylesheet, but we have to support existing browsers (at least version 4+)
> for
> a while longer.
> </P>
> <xsl:for-each select="/AmpersandProblem">
> <BR/>
> <P>
> Intuitive approach fails (the value of the <B>HREF</B> attribute
> is
> returned unescaped, whereas the value of the <B>ONCLICK</B> attribute is
> returned escaped):<BR/>
> <A HREF="[EMAIL PROTECTED]
> &[EMAIL PROTECTED]&[EMAIL PROTECTED]"
> TARGET="_blank"
> ONCLICK="window.open('AmpersandProblem.xml?parameter1=
> [EMAIL PROTECTED]&[EMAIL PROTECTED]&parameter3=
> [EMAIL PROTECTED]', 'PopupWindow',
> 'status=yes,scrollbars=yes,resizable=yes,width=20
> 0,height=350'); return false;">
> <B><xsl:value-of select="."/></B>
> </A>
> </P>
> <P>
> Workaround 1 fails (an <B>&amp;</B> before a <B>{</B> is
> supposed to be retured unescaped according to <A
> HREF="http://www.w3.org/TR/xslt.html#section-HTML-Output-Method";>section
> 16.2</A>):<BR/>
> <A HREF="[EMAIL PROTECTED]
> &[EMAIL PROTECTED]&[EMAIL PROTECTED]"
> TARGET="_blank"
> ONCLICK="window.open('AmpersandProblem.xml?parameter1=
> [EMAIL PROTECTED]&{''[EMAIL PROTECTED]&{''}parameter3=
> [EMAIL PROTECTED]', 'PopupWindow',
> 'status=yes,scrollbars=yes,resizable=yes,width=20
> 0,height=350'); return false;">
> <B><xsl:value-of select="."/></B>
> </A>
> </P>
> <P>
> Workaround 2 sort of works, but it is not what we want (an
> <B>&amp;</B> before a <B>{{</B> is correctly retured unescaped according
> to
> <A HREF="http://www.w3.org/TR/xslt.html#section-HTML-Output-Method";>section
> 16.2</A>):<BR/>
> <A HREF="[EMAIL PROTECTED]
> &[EMAIL PROTECTED]&[EMAIL PROTECTED]"
> TARGET="_blank"
> ONCLICK="window.open('AmpersandProblem.xml?parameter1=
> [EMAIL PROTECTED]&[EMAIL PROTECTED]&{{}}parameter3=
> [EMAIL PROTECTED]', 'PopupWindow',
> 'status=yes,scrollbars=yes,resizable=yes,width=20
> 0,height=350'); return false;">
> <B><xsl:value-of select="."/></B>
> </A>
> </P>
> <P>
> Workaround 3 works (the contents of a <B>SCRIPT</B> element are
> returned unescaped as per <A
> HREF="http://www.w3.org/TR/xslt.html#section-HTML-
> Output-Method">section 16.2</A>): <BR/>
> <A HREF="[EMAIL PROTECTED]
> &[EMAIL PROTECTED]&[EMAIL PROTECTED]"
> TARGET="_blank"
> ONCLICK="window.open('AmpersandProblem.xml?parameter1=
> [EMAIL PROTECTED]&[EMAIL PROTECTED]&parameter3=
> [EMAIL PROTECTED]', 'PopupWindow',
> 'status=yes,scrollbars=yes,resizable=yes,width=20
> 0,height=350'); return false;">
> <B><xsl:value-of select="."/></B>
> </A>
> </P>
> </xsl:for-each>
>
> <BR/>
> </BODY>
> </HTML>
> </xsl:template>
>
> </xsl:stylesheet>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
