[XML-SIG] problem with elementtree 1.2.6
chris at simplistix.co.uk
Fri Nov 30 00:30:59 CET 2007
Fredrik Lundh wrote:
> Chris Withers wrote:
>>> That's how escaping works, be it in XML, encodings, compression, whatever.
>> Well yes and no. I'd expect escaping to work such that whatever we're
>> dealing with can be round tripped, ie: parsed, serialiazed, parsed
>> again, etc.
> that's exactly how it works in ET, of course.
I didn't say it didn't ;-)
> cdata is character data; see
> that's not the same thing as a "CDATA section" (which is just one of
> several ways to store character data in an XML file).
Ug. How confusing :-(
> how things are
> stored doesn't matter; that's just a serialization detail:
> What is not in the Information Set
> 6. Whether characters are represented by character references.
> 19. The boundaries of CDATA marked sections.
I'm not sure I follow what you're trying to say...
>> I and many others do not ;-) When writing content into an html template,
>> that content often comes from other sources that spit out lumps of html.
>> Being able to insert them without escaping is a common use case.
> HTML might be similar to XML, but an XML parser cannot parse HTML, so
> you cannot insert HTML fragments into an XML document without either
> escaping it, or pre-processing it to make sure it's well-formed.
What about xhtml?
> if you want to embed HTML fragments in an ET tree, use ElementTidy or
> ElementSoup (or equivalent) to turn the fragment into properly nested
> and properly namespaced XHTML.
> if you want to do unstructured string handling, use a template library
I'm using/building a templating library, it just happens that ET is an
implementation detail of that template library ;-)
>> That's true, sometimes. That inserted lump may have come from a process
>> which can only spit out perfect html fragments, in which case you're
>> fine, or it may come from user input, in which case you're doomed but
>> will likely have happy customers ;-)
> the hackers will be happy, at least:
user -> content author in this case.
Since they usually own and run the system to which they're adding
content, a much more effective attack would just be to turn the box off :-P
Simplistix - Content Management, Zope & Python Consulting
More information about the XML-SIG