[oslc-core] OSLC Compact representation, titles with markup
Samuel Padgett
spadgett at us.ibm.com
Sun Aug 7 13:00:51 EDT 2011
I believe the spec is a bit confusing when it comes to titles with markup
for UI Preview.
The Compact representation has a dcterms:title property. It's defined as an
XML Literal that can contain XHTML markup [1]. My understanding of XML
Literals as discussed in the RDF Primer [2] means a title with markup would
look like this,
<dcterms:title>12345: <s>Null pointer exception during
startup</s></dcterms:title>
The example [3] of this resource has a title like this, however,
<dcterms:title> 12345: <s>Null pointer exception during
startup</s> </dcterms:title>
The example doesn't seem to fit with the description.
It's very difficult to parse the former using XPath. For instance, the
expression "/oslc:Compact/dcterms:title" takes out the "<s>" and "</s>"
Most implementations I'm aware also follow the example where markup is
encoded. It means special characters need to be "double encoded." For
instance, "12345: Values > 1000 incorrectly calculated" would be,
<dcterms:title>12345: Values > 1000 incorrectly
calculated</dcterms:title>
I think we should add more clarity to the spec here, as getting this wrong
can open up consumers to cross-site scripting attacks. I'd also suggest we
say that providers MUST NOT use any markup with a <script> tag and consumer
MUST NOT display any markup with a <script> tag to guard against this
problem.
Best Regards,
Sam
[1]
http://open-services.net/bin/view/Main/OslcCoreUiPreview?sortcol=table;up=#Representation_Compact
[2] http://www.w3.org/TR/rdf-syntax/#xmlliterals
[3]
http://open-services.net/bin/view/Main/OslcCoreUiPreview?sortcol=table;up=#XML_Representation_Format
More information about the Oslc-Core
mailing list