[oslc-core] OSLC Compact representation, titles with markup
Randy Hudson
hudsonr at us.ibm.com
Mon Aug 8 11:41:54 EDT 2011
Sam,
I agree that the spec needs to be more clear, but I don't agree with your
interpretation of the current spec.
If the spec says that a property's value is of type "string", then to
persist the string "<foo>" in XML+RDF, you must escape that string as
"<foo>" in the raw XML. It's my understanding (and I could be wrong)
that this is true of any data type, including XML Literal. So if the
title's value were "<b>foo</b>", persisting that value to XML+RDF would
require escaping characters like '<'. Persisting that same value using
another format, like N3, maybe wouldn't require the same characters to be
escaped.
I have some suggested changes that I'll get to in a future email, but can
we first agree that the current spec's example does in fact agree with the
current spec? I think it's important that we all start on the same page
before we write the next one :-)
-Randy
|------------>
| From: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|Samuel Padgett/Durham/IBM |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|oslc-core at open-services.net <oslc-core at open-services.net> |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Cc: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|Randy Hudson/Raleigh/IBM at IBMUS, Adam Archer/Toronto/IBM at IBMCA |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|08/07/2011 01:06 PM |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|OSLC Compact representation, titles with markup |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
Small correction, that first example should be,
<dcterms:title rdf:parseType="Literal">12345: <s>Null pointer exception
during startup</s></dcterms:title>
- Sam
__________________
I believe the spec is a bit confusing when it comes to titles with markup
for UI Preview.
The Compact representation has a dcterms:title property. It's defined as an
XML Literal that can contain XHTML markup [1]. My understanding of XML
Literals as discussed in the RDF Primer [2] means a title with markup would
look like this,
<dcterms:title>12345: <s>Null pointer exception during
startup</s></dcterms:title>
The example [3] of this resource has a title like this, however,
<dcterms:title> 12345: <s>Null pointer exception during
startup</s> </dcterms:title>
The example doesn't seem to fit with the description.
It's very difficult to parse the former using XPath. For instance, the
expression "/oslc:Compact/dcterms:title" takes out the "<s>" and "</s>"
Most implementations I'm aware also follow the example where markup is
encoded. It means special characters need to be "double encoded." For
instance, "12345: Values > 1000 incorrectly calculated" would be,
<dcterms:title>12345: Values > 1000 incorrectly
calculated</dcterms:title>
I think we should add more clarity to the spec here, as getting this wrong
can open up consumers to cross-site scripting attacks. I'd also suggest we
say that providers MUST NOT use any markup with a <script> tag and consumer
MUST NOT display any markup with a <script> tag to guard against this
problem.
Best Regards,
Sam
[1]
http://open-services.net/bin/view/Main/OslcCoreUiPreview?sortcol=table;up=#Representation_Compact
[2] http://www.w3.org/TR/rdf-syntax/#xmlliterals
[3]
http://open-services.net/bin/view/Main/OslcCoreUiPreview?sortcol=table;up=#XML_Representation_Format
More information about the Oslc-Core
mailing list