[Ur] CMS like features ? unsafe XML - encodings?
Adam Chlipala
adamc at impredicative.com
Wed Dec 15 09:35:32 EST 2010
Marc Weber wrote:
> Many web applications are using kind of
>
> xml += "<div>#{xml_content_from_db}</div>";
>
> which of course is unsafe. Which is the urweb way?
> Is there a blessXml function ?
>
Every XML type is represented with strings at the C level, so you can
use the FFI to circumvent the type system in any way you like.
Naturally, I'm not too eager to call that "the Ur/Web way." ;)
More interesting is some HTML parsing code which I just added to the
Meta library (that I announced yesterday). This will let you convert
arbitrary strings into verified HTML, and the library is implemented
entirely within Ur. See the [Html] module and the "testHtml" test.
> Which is the urweb way storing xml in a database and including it into a
> page?
>
If you only write into the database from the same Ur/Web application (or
exercise care in writing externally, so that you observe the Ur/Web
types), then simple code like this gets the job done.
table xmly : {Enced : serialized xbody}
fun main' () =
dml (INSERT INTO xmly (Enced) VALUES ({[serialize <xml><b>Whoa!</b>
Yeah!</xml>]}));
x <- oneRowE1 (SELECT (xmly.Enced)
FROM xmly);
return <xml><body>{deserialize x}</body></xml>
fun main () = return <xml><body><form><submit
action={main'}/></form></body></xml>
> If we are at it: Does it make sense to encode the encoding of a string
> somehow?
>
Maybe so, but I'm woefully underinformed about encodings. The last time
I looked into this, I think my conclusion was that sticking with UTF-8
could please everybody reasonably well.
More information about the Ur
mailing list