Back in about 2006, I wrote a nice XSLT that transformed my RSS feeds into custom HTML. That way if a user clicked from a browser it would display as a simple page rather than a bunch of junk XML. If that same URL was used in a feed reader it was handled properly and everything was slick.
Now days, most browsers (IE, Firefox, Safari, Opera) seem to grab hold of the styles and won't let go. And Chrome just plain ignores the stylesheet transformation.
Given that it has been several years, am I simply forgetting some detail? Didn't it used to just be this easy?
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="/atom2html.xslt"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<!-- ... -->
</feed>
Anyone know if there is a way to override those browsers with very specific ideas of feed styling? And is there any way to get something nice out of Chrome?
Chrome appears to only apply the XSLT processing instruction if the Content-Type for the feed response is set to XML, not Atom.
This displays XSLT in Chrome:
Content-Type: application/xml
This does not display any styling (which is technically the more correct type):
Content-Type: application/atom+xml
It is now default behaviour for most browser to apply their own XSLT to any Atom/RSS feed they come across, very annoying. A feed is identified through the application/atom+xml mime type for Atom and application/rss+xml for RSS
You used to be able to circumvent this by filling the first 512 bytes of the feed with crud in the form of a comment. This would throw off the feed sniffing of the browser and allow you to apply your own XSL Stylesheet. This has worked for years for me but with IE8 this behaviour has gone out of the window and the 512 bytes comment doesn't work anymore. I have now switched over to server side processing but I still lament this decision from browser makes.
I'm not aware of a way to fool IE & FF & Safari's automatic display of RSS/Atom feeds, but in Chrome the XSLT is correctly applied via the xml-stylesheet processing instruction; here is an example from the Randonneur Group pool at flickr.
Related
While testing Orbeon forms for vulnerabilities of the Reflected Cross Site Scripting type (https://en.wikipedia.org/wiki/Cross-site_scripting#Reflected_.28non-persistent.29) we noticed that it is possible to pass request parameters with script tags in them which can then be output using xf:output.
Shouldn't Orbeon validate (or at least sanitize) the request parameters when they are retrieved using xxf:get-request-parameter() or when they are output using xf:output to prevent this kind of security vulnerability?
I tested this with the latest version of Orbeon (orbeon-2016.3.201612302139-CE) and a Jetty container.
Note that you cannot use Tomcat since it does its own validation on request parameters and you cannot use Chrome because it sanitizes the output for you (stripping the script content).
A small sample form that demonstrates this:
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:xh="http://www.w3.org/1999/xhtml"
xmlns:xf="http://www.w3.org/2002/xforms"
xmlns:xxf="http://orbeon.org/oxf/xml/xforms">
<head>
<title>Reflected XSS</title>
<xf:model>
<xf:instance id="default">
<root xmlns="">
</root>
</xf:instance>
<xf:var name="testvar" value="xxf:get-request-parameter('test')"/>
</xf:model>
</head>
<body>
<p>This is an example to show that Orbeon is vulnerable to Reflected Cross Site Scripting attacks.</p>
<p>Access this form and pass a request parameter with some javascript like: /?test=bla%00rje1w<script>alert(1)<%2fscript></p>
<p><xf:output value="$testvar"/></p>
</body>
</html>
This turned out to be a bug related to HTML serialization. The issue is now fixed.
Separately, we can think more about whether sanitation of request parameters is needed, including rejecting or removing character #00. Form data itself should be covered because it comes in from XML requests, and XML explicitly disallows this (and a few other) characters.
I have searched MailChimp's documentation as well as other sites but cannot seem to figure out how to use both conditional merge tag blocks with |FEED| merge tags.
Basically I am wanting to combine the two in order to include posts from multiple blogs in my e-mail campaign; in particular, I would like to use conditional logic so that any RSS feeds evaluated as "empty" (meaning no new items) receive alternative content that says something along the lines of "no updates available."
I have tried to come up with a few ways of doing this - none have been successful, but here's the type of thing I had in mind:
*|FEEDBLOCK:http://www.mailchimp.com/blog/feed/|*
*|FEED:TITLE|*
*|IF:FEED:POSTS[$content=full] != |*
*|FEED:POSTS[$count=3,$content=titles]|*
*|ELSE:|*
no updates available for this feed
*|END:IF|*
*|END:FEEDBLOCK|*
any help would be appreciated.
Well, this question is from ages ago, but I had a similar problem and figured out a (really hacky) work-around...
Assumptions:
1. You're using a (very) custom RSS feed
2. You're overriding the default RSS tags with custom content
In my use case, I'm using the <category> RSS tag, which MailChimp reads in via the *FEEDITEM:CATEGORY* merge tag. I'm using this as a subheading for my RSS feed, instead.
If that subheading is filled out in the admin (that is, whatever admin system you're using to spit out the RSS feed), I want to include it in the feed -- but I also need to add in more html for the email template. The solution is including the required html in the RSS feed. (Like I said -- hacky.)
Shockingly, this works. Mailchimp dutifully pulls in all the html/css.
The RSS feed (vastily simplied here) looks something like this:
<channel>
<item>
<category><![CDATA[ <table><td><tr><div class="example">Sub Headline</div></tr></td> ]]></category>
</item>
<channel>
If that field is not set in my custom admin, then no <category> tags at all are outputted, and MailChimp simply ignores that merge tag.
So basically, any email HTML code that you want to display only if the merge tag is valid, should show up in the feed itself.
Definitely not ideal, but it works.
YMMV...
MailChimp is still very limited with it's conditional tags, which are limited to subscriber data. RSS feed conditions would be a welcome addition.
http://blog.mailchimp.com/conditional-dynamic-content-in-mailchimp/
I need a way to transform XML to HTML (using XSL) but without a server. So, I want to create a standalone HTML file (with hardcodes XSL path and name).
Allow the user to select an XML
Transform it with the XSL and display results in browser
Original XML cannot be changed (so cannot just embed XSL in XML)
Is this possible? Everything I found requires post, but I'm not using a server
Regards
Mark
Yes, it's possible. And you don't need javascript to do it, but you can use javascript if you want.
Just look at the previous (XSLT question)[https://stackoverflow.com/questions/12964917]
Use a processing-instruction like...
<?xml-stylesheet type="text/xsl" href="soccer.xslt"?>
Refer:
Direct linkage through pi: http://www.w3.org/TR/xml-stylesheet/
Transform through javascript:
http://dev.ektron.com/kb_article.aspx?id=482
Calling XSLT from javascript
I have deployed my webservice into Tomcat.
The WSDL has got some operations like ViewOptions, but when I ran that, I got this error:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>1</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
Why do we get this error?
The message isn't an "error" but rather a warning n need not be solved but ignored. An XML document is a data structure but does not contain any presentation/style information internally. Normally an XML document is used in inter-application communication or as a pure data structure that is then used with additional presentation/style information to display to users.
XML can be applied style by XSLT just as HTML by CSS and the above warning can be eradicated An eg: of applying xls to xml
We don't present xml using xls for RSS, Web Services as they are just used for communication without applying stylesheet rather than meant to be presented to user in browser.
So, everything is fine here.
what worked for my case. I replaced all the links of ... with window.open("...link", "_self") and changed
import {
HashRouter as Router,
} from 'react-router-dom';
I'm using lib-cURL as a HTTP client to retrieve various pages (can be any URL for that matter).
Usually the data comes as a UTF-8 string and then I just call "MultiByteToWideChar" and it works well.
However, some web-pages still use code-page encoding and I see gibberish if i try to convert those pages to UTF-8.
Is there an easy way to retrieve the code page from the data? or I'll have to scan it manually (for "encoding=") and then translate it accordingly.
If so, how do i get the code-page id from name (Code Page Identifiers)?
Thanks,
Omer
There are several location where a document can state its encoding:
the Content-Type HTTP header
the (optional) XML declaration
the Content-Type meta tag inside the document header
for HTML5 documents the charset meta tag.
There are probably even more I've forgotten.
In the end, detecting the actual encoding is rather hard. You really shouldn't do this yourself but use high-level libraries for retrieving and parsing HTML content. I'm sure they are available even for C++, even if they have to be thiefed from the a browser environment. :)
I used DetectInputCodepage in IMultiLanguage2 interface and it worked great !