[oslc-core] OSLC Compact representation, titles with markup

Randy Hudson hudsonr at us.ibm.com
Mon Aug 8 11:41:54 EDT 2011 

Sam,

I agree that the spec needs to be more clear, but I don't agree with your
interpretation of the current spec.

If the spec says that a property's value is of type "string", then to
persist the string "<foo>" in XML+RDF, you must escape that string as
"<foo>" in the raw XML.  It's my understanding (and I could be wrong)
that this is true of any data type, including XML Literal.  So if the
title's value were "<b>foo</b>", persisting that value to XML+RDF would
require escaping characters like '<'.  Persisting that same value using
another format, like N3, maybe wouldn't require the same characters to be
escaped.

I have some suggested changes that I'll get to in a future email, but can
we first agree that the current spec's example does in fact agree with the
current spec?  I think it's important that we all start on the same page
before we write the next one :-)

-Randy


|------------>
| From:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Samuel Padgett/Durham/IBM                                                                                                                         |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |oslc-core at open-services.net <oslc-core at open-services.net>                                                                                         |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Cc:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Randy Hudson/Raleigh/IBM at IBMUS, Adam Archer/Toronto/IBM at IBMCA                                                                                     |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |08/07/2011 01:06 PM                                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |OSLC Compact representation, titles with markup                                                                                                   |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|




Small correction, that first example should be,

  <dcterms:title rdf:parseType="Literal">12345: <s>Null pointer exception
during startup</s></dcterms:title>

- Sam


__________________

I believe the spec is a bit confusing when it comes to titles with markup
for UI Preview.

The Compact representation has a dcterms:title property. It's defined as an
XML Literal that can contain XHTML markup [1]. My understanding of XML
Literals as discussed in the RDF Primer [2] means a title with markup would
look like this,

  <dcterms:title>12345: <s>Null pointer exception during
startup</s></dcterms:title>

The example [3] of this resource has a title like this, however,

  <dcterms:title> 12345: <s>Null pointer exception during
startup</s> </dcterms:title>

The example doesn't seem to fit with the description.

It's very difficult to parse the former using XPath. For instance, the
expression "/oslc:Compact/dcterms:title" takes out the "<s>" and "</s>"
Most implementations I'm aware also follow the example where markup is
encoded. It means special characters need to be "double encoded." For
instance, "12345: Values > 1000 incorrectly calculated" would be,

  <dcterms:title>12345: Values &gt; 1000 incorrectly
calculated</dcterms:title>

I think we should add more clarity to the spec here, as getting this wrong
can open up consumers to cross-site scripting attacks. I'd also suggest we
say that providers MUST NOT use any markup with a <script> tag and consumer
MUST NOT display any markup with a <script> tag to guard against this
problem.

Best Regards,
Sam


[1]
http://open-services.net/bin/view/Main/OslcCoreUiPreview?sortcol=table;up=#Representation_Compact
[2] http://www.w3.org/TR/rdf-syntax/#xmlliterals
[3]
http://open-services.net/bin/view/Main/OslcCoreUiPreview?sortcol=table;up=#XML_Representation_Format

More information about the Oslc-Core mailing list