RE: Issues with Packaging Application Payloads

I agree -- once you are forced to translate the contained data into a
format that won't interfere with the wrapper, it doesn't matter so much
whether that translation is base64 or escaping the termination
sequence. (All you really need to escape is "&" and "]]>"), which might
run a little faster than escaping all angle brackets, but you still have
to look at everything.

This all reminds me of the debates long ago about whether comment
delimiters in programming languages should nest. If they did, you could
safely encapsulate arbitrary chunks of code in comment tags. Sadly, most
languages specify non-nesting comment delimiters...

On Thu, 19 Oct 2000, Bob Cunnings wrote:

> Mark:
> 
> We do the same thing here, except that I don't bother with the escapement of '>'.
> Escaping '<' and '&' is sufficient (Am I wrong here?). This behavior is built into 
> the SOAP processor itself in our implementation. However, I view this approach 
> as much less than perfect. The overhead of scanning a string for '<' and '&' and 
> making substitutions is not inconsiderable.
> 
> RC
> 
> Mark Hughes wrote:
> 
>   Then there's #4, the *RIGHT WAY* to do this, which is:
> A) Before inserting your arbitrary text into your XML wrapper, run it
> through a filter that replaces & with &amp;, < with &lt;, and > with &gt;.
> B) Before handing arbitrary text back to the user, run it through a filter
> that replaces &lt; with <, &gt; with >, and &amp; with &.
> 
>   Voila, the problem is solved.  You don't have the byte bloat of base64,
> you don't have the limitation of not including ]]> in CDATA, and you don't
> have to mess up validation.
> 
>   XML is 8-bit clean (through UTF-8/16), so you can even send binary this
> way (though admittedly, at 50% bloat for 128-255, as compared to the 33%
> bloat of base64).
> 
>   It's easy.  It's nigh-perfect.  Why would anyone NOT do this?
> 

Received on Thursday, 19 October 2000 15:56:39 UTC