XML as data in HTML form post : how to escape special characters(x-postedTo XMLForum)

Dev Shed Forums Sponsor:

May 1st, 2013, 12:14 PM

ndrw_cheung

Registered User

Join Date: May 2013

Posts: 5

Time spent in forums: 2 h 51 sec
Reputation Power: 0

Homework - XML as data in HTML form post : how to escape special characters(x-postedTo XMLForum)

Hi. I have an HTML form where the data for one of the input fields is an xml string.

<htmlCode>
<form action="xxx" method="post">
<input type='hidden' id='myName' name='myName' value='joe'/>
<input type='hidden' id='myXML' name='myXML' value='<myData><userid value="123"/><remarks text="age is < 65"/></myData>'/>
</form>
</htmlCode>

where xxx is some url.

My question is : When I post this form, "<" is being URLencoded and changed to %3C. However, on the destination side, the data sent over is not valid, since it thinks that the opening "<" for the remarks tag is not closed.

How can I send data containing characters such as "<" in an xml string that is a value of an input element in a form post correctly?

Any help is appreciated.

-Andrew

P.S. I'm x-posting this to the XML Programming forum since part of it involves XML

May 1st, 2013, 12:44 PM

requinix

Still alive

Join Date: Mar 2007

Location: Washington, USA

Posts: 12,698

Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1

Time spent in forums: 5 Months 1 Week 4 Days 4 h 54 m 57 sec
Reputation Power: 8969

Send a message via Google Talk to requinix

The < you have is only HTML encoding it. It'll be decoded by the browser automatically. In fact you should be doing that for the other <s and >s too.

So actually you need to double-encode it.

Code:

<myData>
    <userid value="123" />
    <remarks text="age is &lt; 65" />
</myData>

Code:

<input ... value='&lt;myData&gt;&lt;userid value="123"/&gt;&lt;remarks text="age is &amp;lt; 65"/&gt;&lt;/myData&gt;' />

For extra credit, simply HTML-encode everything. That'll turn "s into "s too.

__________________
Site rules and FAQ | Project Suggestions | mod_rewrite guide | PHP New User Guide and FAQ - PHP Stickies | Regex Resources

May 1st, 2013, 01:27 PM

ndrw_cheung

Registered User

Join Date: May 2013

Posts: 5

Time spent in forums: 2 h 51 sec
Reputation Power: 0

Thanks for your help, requinix. I did a double-encoding as per your suggestion and it passes the data over to the destination ok. However, at the destination, when it displays the remarks field in a textbox, the html code for < shows up as the code (that is

Code:

&lt;

) instead of as <.

How can I make it to show < instead?

-Andrew

Quote:

Originally Posted by requinix

The < you have is only HTML encoding it. It'll be decoded by the browser automatically. In fact you should be doing that for the other <s and >s too.

So actually you need to double-encode it.

Code:

<myData>
    <userid value="123" />
    <remarks text="age is &lt; 65" />
</myData>

Code:

<input ... value='&lt;myData&gt;&lt;userid value="123"/&gt;&lt;remarks text="age is &amp;lt; 65"/&gt;&lt;/myData&gt;' />

For extra credit, simply HTML-encode everything. That'll turn "s into "s too.

Last edited by ndrw_cheung : May 1st, 2013 at 01:55 PM. Reason: < shows up as <

May 1st, 2013, 03:07 PM

requinix

Still alive

Join Date: Mar 2007

Location: Washington, USA

Posts: 12,698

Time spent in forums: 5 Months 1 Week 4 Days 4 h 54 m 57 sec
Reputation Power: 8969

This forum software is awkward with HTML entities. It shows up as &amp+lt?
To confirm: there's one HTML-entitizing for the entire XML string, and a separate additional one for the <remarks>'s text?

Using PHP as an example,

PHP Code:


		
			
 $text = "age is < 65";

// encode once to keep the text as literal text

$xml = "<myData>...<remarks text=\"" . htmlspecialchars($text) . "\" />...</myData>";

?>



<!-- encode twice to keep the value as a literal value -->

<input ... value="<?=htmlspecialchars($xml)?>" />

May 1st, 2013, 03:22 PM

ndrw_cheung

Registered User

Join Date: May 2013

Posts: 5

Time spent in forums: 2 h 51 sec
Reputation Power: 0

Yes. I did exactly what your PHP code does (only I did it in Java), but in the textbox at the destination page, it shows the < as the HTML-entitized value.

Should I do anything on my side so that it shows up correctly as < or would it be on the destination that they have to do something about it?

-Andrew

Quote:

Originally Posted by requinix

PHP Code:


		
			
 $text = "age is < 65";

// encode once to keep the text as literal text

$xml = "<myData>...<remarks text=\"" . htmlspecialchars($text) . "\" />...</myData>";

?>



<!-- encode twice to keep the value as a literal value -->

<input ... value="<?=htmlspecialchars($xml)?>" />

May 1st, 2013, 06:40 PM

requinix

Still alive

Join Date: Mar 2007

Location: Washington, USA

Posts: 12,698

Time spent in forums: 5 Months 1 Week 4 Days 4 h 54 m 57 sec
Reputation Power: 8969

That lone < needs to be entitied. You should literally see

Code:

<myData><userid value="123" /><remarks text="age is &lt; 65" /></myData>

in the textbox.

May 2nd, 2013, 07:34 AM

ndrw_cheung

Registered User

Join Date: May 2013

Posts: 5

Time spent in forums: 2 h 51 sec
Reputation Power: 0

The problem is that the destination is a third-party website, and I don't know how they process the data once it gets there before displaying it in a textbox.

When you say that the lone < needs to be entitied, do you mean it should be html-DECODED at the destination side, since it shows up as an html-encoded version (ampersand-l-t-semicolon)?

-Andrew

Quote:

Originally Posted by requinix

That lone < needs to be entitied. You should literally see

Code:

<myData><userid value="123" /><remarks text="age is &lt; 65" /></myData>

in the textbox.

Homework - XML as data in HTML form post : how to escape special characters(x-postedTo XMLForum)

Developer Shed Advertisers and Affiliates