Problems passing un-sanitized XML to client


#1

I’m trying to store an xsl stylesheet in the database and return it
to the client, but at some point in the process all the angle
brackets, etc are parsed out of the xml, so I get <defaults>
instead of . Anyone have any pointers how I would go about
turning off that behavior?

-Derek


#2

Derek Gulbranson wrote:

I’m trying to store an xsl stylesheet in the database and return it to
the client, but at some point in the process all the angle brackets,
etc are parsed out of the xml, so I get <defaults> instead of
. Anyone have any pointers how I would go about turning off
that behavior?

Assuming it’s just being piped down to the browser, check you’ve not got
anything like:

<%=h @xsl %>

in your views. The ‘h’ is short for ‘html_escape’.

Other than that, we’ll need to know more about the path the xsl takes
between the database and the client.


#3

So I installed the Arachno Ruby IDE and was able to track down a bit
of what’s happening. The string seems to get encoded somewhere in the
ActionWebServices::Protocol::soap::SOAPMarshaler process, although
the Arachno Ruby IDE interface doesn’t allow me to inspect the full
value of variables, only the first little bit that shows up in the
side panel, so I inspect the full string and to see exactly where
it’s happening. Definitely happening somewhere within the soap
libraries. I guess since it gets a string, it sanitizes it.

I tried passing a REXML object instead of a string but same result.
Maybe I should create some sort of SOAP object out of the string? But
what kind? I have only a basic concept of what SOAP is and the SOAP
libraries are fairly over my head, so any suggestions would be
appreciated.

But basically I believe that the :string type will not work for
passing XML or HTML via the SOAP protocol with ActionWebServices, as
strings always get sanitized by the SOAP libraries.

-Derek