Does SaxonCE support regex flag "!"? - regex

I have xsl stylesheet that uses flag ! a lot. I found that very handy since xpath 2.0 specification limits regular expressions usage.
This stylesheet was intended to be used in web-based application (php) for transforming user input data and generating output, so SaxonCE came to my mind. But it throws error unrecognized flag '!' .
So, is there way around this? Does Saxon/C support ! flag at least? Or the best way is to use SaxonHE and somehow connect it with web app?
EDIT:
To be clear, ! is special flag used in Saxon products that tells xslt processor to use his own regex engine instead of xpath one, It is not w3c recommendation, more like extra feature.

Related

XSLT Reports and Internet Explorer

with IE at its EOL and allowing file access from files in Chrome is not a viable option for us, what is the future of XSLT reports?
I am fairly new to this, and have just been "thrown" into finding a solution. Everything I'm finding online is years old, it's strange that no one is talking about this since "death" of IE.
our data is in XML format, using XSL templates to display formatted reports to browser via ScriptX (smsx.cab) (with page breaks, headers, etc). The user then "prints to PDF"
I am hoping to see what other organizations are doing to ensure existing XSLT reports continue to work. Converting to something else? Making them work with other, currently supported, browsers?
thank you, all and any tips, links and comments much appreciated.
You could try executing your XSLT transformations using a local script.
Take note that these solutions only support XSLT 1.0.
MSXML
successor of msxsl.exe?
PowerShell
Applying XSL to XML with PowerShell : Exception calling "Transform"
If you want to use XSLT 2.0+
You can use Saxon and call the jar file from a batch file.
https://www.saxonica.com/

Where do I get test-stylesheets to be able to use xsltproc?

I'm little lost here. I'm using googltest framework and just want to transform the xml report to an html. I found that xsltproc does the job:
xsltproc style.xsl report.xml -o report.hmtl
but first I need to get a stylesheet. Just a basic-generic stylesheet so the result can be visualized on a browser, where can I find it?
Firstly, you've tagged this XSLT 2.0, but xsltproc only supports XSLT 1.0.
Secondly, without knowing what flavour of XML is in report.xml, there isn't really very much one can do by way of a useful generic transformation to HTML. There are attempts like this one:
Generic XSLT to tabluate XML
but whether it produces results that work for you depend entirely on your input and desired output, which you haven't told us anything about.

XSLT Regex Replace Function

We've been pulling our hair out just trying to just trying to get a basic example of the XSLT replace function to work.
I'm leaving this text in tact for context, but you may want to skip to the update
We're using Mirth to pull in HL7 messages. We're unsure whether this supports XSLT version 2, but we believe it uses SAXON - http://saxon.sourceforge.net/, which purportedly does support XSLT2 and hence the replace function.
In any case, we tried using XSLTCake to try and get even a demo replacement to work, to no avail. We've seen this either referenced as replace or fn:replace as well as a couple other suggestions using other libraries.
If XSLT2 isn't supported by Mirth, we would need a workaround for XSLT1. We found one here: XSLT string replace - but have been unable to get this to work either.
This is a tough to get down to a single question as I'm asking alot, but here goes... Can anyone provide a working example of performing a regex replacement in an XSLT? Preferably one that will run in an online parser for reference.
Here's a sample - which apparently should work.1
Update
Thanks to Michael Kay for providing code below to determine XSLT version.
<!--Transformed using 1.0 provided by Apache Software Foundation (Xalan XSLTC)-->
So It turns out we were all wrong about Mirth using SAXON and hence supporting XSLT2. I'll update with our attempt at implementing the version 1 workaround.
First find out which XSLT processor you are using. This is straightforward: insert this
<xsl:comment>Transformed using <xsl:value-of select="system-property('xsl:version')"/> provided by <xsl:value-of select="system-property('xsl:vendor')"/></xsl:comment>
into your stylesheet to output a comment in your result document.
Once you know what programming language you are using, you can start thinking about writing code.

using regex to modify an xml

I need to change the following
<elor>crap</elor></utha>
to
<elor>crap</elor>
</utha>
I want to use regex to do this, I don't want any alignment mismatch (for some lame reason)
it would be more helpful if anyone could point out editplus3 regex for this.
Let me broaden the scope of this question, I used java DOM API to add element to existing XML, where this alignment mismatch is happening, I having trouble merging this file. If it is possible to avoid alignment issue at the DOM level I am more than happy to try.
Never mind, just explore EditPlus 3 regex capabilities. use /n and /t judiciously It would solve this issue.

Allowing code snippets in form input while preventing XSS and SQL injection attacks

How can one allow code snippets to be entered into an editor (as stackoverflow does) like FCKeditor or any other editor while preventing XSS, SQL injection, and related attacks.
Part of the problem here is that you want to allow certain kinds of HTML, right? Links for example. But you need to sanitize out just those HTML tags that might contain XSS attacks like script tags or for that matter even event handler attributes or an href or other attribute starting with "javascript:". And so a complete answer to your question needs to be something more sophisticated than "replace special characters" because that won't allow links.
Preventing SQL injection may be somewhat dependent upon your platform choice. My preferred web platform has a built-in syntax for parameterizing queries that will mostly prevent SQL-Injection (called cfqueryparam). If you're using PHP and MySQL there is a similar native mysql_escape() function. (I'm not sure the PHP function technically creates a parameterized query, but it's worked well for me in preventing sql-injection attempts thus far since I've seen a few that were safely stored in the db.)
On the XSS protection, I used to use regular expressions to sanitize input for this kind of reason, but have since moved away from that method because of the difficulty involved in both allowing things like links while also removing the dangerous code. What I've moved to as an alternative is XSLT. Again, how you execute an XSL transformation may vary dependent upon your platform. I wrote an article for the ColdFusion Developer's Journal a while ago about how to do this, which includes both a boilerplate XSL sheet you can use and shows how to make it work with CF using the native XmlTransform() function.
The reason why I've chosen to move to XSLT for this is two fold.
First validating that the input is well-formed XML eliminates the possibility of an XSS attack using certain string-concatenation tricks.
Second it's then easier to manipulate the XHTML packet using XSL and XPath selectors than it is with regular expressions because they're designed specifically to work with a structured XML document, compared to regular expressions which were designed for raw string-manipulation. So it's a lot cleaner and easier, I'm less likely to make mistakes and if I do find that I've made a mistake, it's easier to fix.
Also when I tested them I found that WYSIWYG editors like CKEditor (he removed the F) preserve well-formed XML, so you shouldn't have to worry about that as a potential issue.
The same rules apply for protection: filter input, escape output.
In the case of input containing code, filtering just means that the string must contain printable characters, and maybe you have a length limit.
When storing text into the database, either use query parameters, or else escape the string to ensure you don't have characters that create SQL injection vulnerabilities. Code may contain more symbols and non-alpha characters, but the ones you have to watch out for with respect to SQL injection are the same as for normal text.
Don't try to duplicate the correct escaping function. Most database libraries already contain a function that does correct escaping for all characters that need escaping (e.g. this may be database-specific). It should also handle special issues with character sets. Just use the function provided by your library.
I don't understand why people say "use stored procedures!" Stored procs give no special protection against SQL injection. If you interpolate unescaped values into SQL strings and execute the result, this is vulnerable to SQL injection. It doesn't matter if you are doing it in application code versus in a stored proc.
When outputting to the web presentation, escape HTML-special characters, just as you would with any text.
The best thing that you can do to prevent SQL injection attacks is to make sure that you use parameterized queries or stored procedures when making database calls. Normally, I would also recommend performing some basic input sanitization as well, but since you need to accept code from the user, that might not be an option.
On the other end (when rendering the user's input to the browser), HTML encoding the data will cause any malicious JavaScript or the like to be rendered as literal text rather than executed in the client's browser. Any decent web application server framework should have the capability.
I'd say one could replace all < by <, etc. (using htmlentities on PHP, for example), and then pick the safe tags with some sort of whitelist. The problem is that the whitelist may be a little too strict.
Here is a PHP example
$code = getTheCodeSnippet();
$code = htmlentities($code);
$code = str_ireplace("<br>", "<br>", $code); //example to whitelist <br> tags
//One could also use Regular expressions for these tags
To prevent SQL injections, you could replace all ' and \ chars by an "innofensive" equivalent, like \' and \, so that the following C line
#include <stdio.h>//'); Some SQL command--
Wouldn't have any negative results in the database.