On Wed, Feb 26, 2003 at 06:17:12PM -0800, Kip Hampton wrote: > >A related question -- can we get at the Apache configuration settings > >through a similar mechanism? Or at least any variables that have been > >set with PerlSetVar? > > You could pretty easily make a Plugin that passes what you need from > $r->dir_config in as params. > > >Maybe with a namespace? > > XSLT params don't have namespaces.
Are you sure? Every XSLT reference I've seen (Michael Kay's 'XSLT
Second Edition', and numerous web-based references) define the 'name'
value as being a QName, and then go on to define a QName as having an
optional namespace prefix.
In fact, Michael Kay's book says (p284, "The Name of the Parameter")
The name of the parameter is defined by the QName. Normally this
will be a simple name (such as <<num>> or <<list-of-names>>), but it
may be a name qualified with a prefix, for example <<my:value>>. if
it has a prefix, the prefix must correspond to a namespace that is
in scope at the point in the stylesheet.
> If its potential name collision with other form or query params that
> you're concerned about, use a freakish (but descriptive) naming
> convention that no one in their right mind would ever use for form data.
The reason I suggested different namespaces is that there are countless
examples of web based applications with security holes because they
inadvertently trusted user supplied data.
Many of these exploits are feasible because of assumptions made about
things like hidden fields on forms. By putting the parameters in to
different namespaces you enforce separation between the different 'trust
domains', and you make it less likely that someone can attack your
application by submitting a parameter that they've crafted to have the
same name as an otherwise internal name.
Off the top of my head, I could see benefit in providing parameters
through to the stylesheet that map to
Source Suggested namespace prefix
-------------------------------------------------------------
CGI parameters cgi:, or query:
httpd environment env:
httpd configuration httpd:
So something like this:
<?xml version="1.0" encoding="ISO-8859-1" ?>
<xsl:stylesheet
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
xmlns:cgi="http://www.axkit.org/2003/XSL/cgi-parameters";
version="1.0">
<xsl:param name="cgi:bugid" select="''"/>
<!-- use $cgi:bugid to refer to the contents of the 'bugid'
variable passed in using CGI -->
</xsl:stylesheet>
These don't have to be available by default (to avoid the processing
overhead). The AxKit/XSLT engine can enable them if the stylesheet
references the appropriate namespace[1].
N
[1] He says, waving his hands in the air hoping no one will ask 'How?'. . .
--
C.R.F. Consulting ltd W: 01895 466 766
M: 07973 840 839
pgp00000.pgp
Description: PGP signature
