473,320 Members | 1,978 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

HTML Entity Output Escaping

Hi,

My question is around HTML entities and XML output (although I use php, I felt this was more an XSLT question).

Given the below, am I safe to not escape HTML entities on input anymore?

I used to retrieve HTML fragments from a MySQL backend to echo out to the page (using php). I performed the HTML Entity escaping at the point of storage to reduce processing when the page was loaded.

Common entity conversions (using php's htmlentities function) were: single quote, double quote, ampersands, and angular brackets.

I have since changed from direct echo to an XML/XSLT methodology. Now, I retrieve the data from MySQL and convert it into XML (using DOMDocument), serving that up to the browser with XSLT.

Since XML automatically escapes both less-than angular brackets and ampersands, does this provide the same level of protection against HTML injection? (e.g. script tags)

I always just called the htmlentities function in php, but the data I store is now not compatible with the XML/XSLT method, unless I use the disable-output-escaping attribute to ensure the HTML is read as normal, which I don't want to do for every output tag.

Otherwise, you see the ampersand, at the start of the stored HTML entity, being escaped again, and it looks like HTML markup is turning up everywhere.

Essentially, is it safe for me to have normal text characters like quotes within HTML, or is there a reason why php converts all of those as well?

Regards,
Rob.
Oct 22 '11 #1
0 1649

Sign in to post your reply or Sign up for a free account.

Similar topics

2
by: David Shadovitz | last post by:
I'm new to PHP and can use some help with avoiding HTML entity trouble. I've got a page which creates a hyperlink as follows: printf('<a href="%s?txtFilter=%s">%s</a>', $_SERVER, $txtFilter,...
6
by: Joe Price | last post by:
Hi all I've formatted one of my xml files for viewing through a web browser using xsl. It works fine in Internet Explorer, however when I use Netscape6 or Opera to view the same page the...
1
by: Lisa | last post by:
I need to apply the HTML formatting tags and the French accented characters in a XML document. The XML is generated from a database that has HTML tags and French accented characters in the records....
6
by: Paul Hatcher | last post by:
Hi I'm transforming some XML to HTML but the via XslTransform and a StreamWriter, but I can't get it to obey <xsl:text> escaping rules. I have a statement <xsl:text...
1
by: zunbeltz | last post by:
Hi, I'm parsing html. I have a page with a lot of html enitties for hebrew characters. When i print what i get are blanks, dots and commas. How can i decode this entities to unicode charachters?...
5
by: Troot | last post by:
Hi All, I was wondering if someone could clear this up for me. I have constructed a sample for a bigger problem I'm having. So, given the xml file: <?xml-stylesheet href="test.xsl"...
4
by: Jon | last post by:
Hi, I used XslCompiledTransform with the following Xsl file. The <xsl:text disable-output-escaping="yes"does not work when using XslCompiledTransform to do the trnasform (namely the output...
1
by: David Henderson | last post by:
I know 'disable-output-escaping' has been discussed in the past, but I can't put my finger on any of the threads to see if my current problem is addressed. Sorry for re-asking the question if it...
1
by: Jonny B | last post by:
I've been working on an xsl transfomation on the clientside using JavaScript for a few days now and have been pulling my hair out because Mozzilla doesnt support output escaping but Internet Explorer...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.