Hi Richard,
Have you tried putting the URL into a CDATA structure? That may make the
XSLT ignore all the content.
Alternatively there is an option in XSLT, that I can't remember at the
moment, that that tells the XSLT to not process the character references.
This may or may not work.
John
-----Original Message-----
From: geonetwork-devel-bounces@lists.sourceforge.net
[mailto:geonetwork-devel-bounces@lists.sourceforge.net] On
Behalf Of Software Improvements gn-devel
Sent: Wednesday, 28 May 2008 10:14 AM
To: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] Escaping ampersands in
XSLT-generated URLs
Jeroen Ticheler wrote:
> Hi Richard,
> Does the below example generate an error for you?
I note that my previous e-mail looks very strange in Nabble
because every occurrence of the sequence of characters
"ampersand a m p semicolon" appears in the browser only as an
ampersand. I really did write just an ampersand in some
places and "ampersand a m p semicolon" in others! So for the
rest of this e-mail please mentally replace each occurrence
of "ampersand" with a real ampersand.
I attach an example page generated via the graphover-show.xsl
script. I don't know how this example will get munged by the
mailing list or Nabble - the important line reads
"access=publicampersandid=10ampersandfname"
except with real ampersands.
If you put this into the W3C validator
(http://validator.w3.org/) you get
a number of errors related to the 'general entity "id"'
and 'general entity "fname"'.
The validator (correctly) parses
"access=publicampersandid=10"
as though it was "access=publicampersandid;=10", i.e., by
assuming a missing semicolon, and then (correctly) rejects
this as invalid HTML because there is indeed no 'general entity "id"'.
--
Richard Walker
Software Improvements Pty Ltd
Phone: +61 2 6273 2055
Fax: +61 2 6273 2082
Hi All,
We haven't been able to do any OGC requests to external WMS, WFS and WCS because the "GET" and "POST" HTTP commands are blocked through our firewall. The requests are blocked for security reasons. This prompts me to ask, does GN do some checking to see if the stated WMS URL is actually a WMS? For example, does it try a 'GetCapabilities' request and then validate the returned XML to see if it is valid capabilities version X.X.X XML file?
Similarly does GN then check the returned content from 'GetMap' and 'GetFeatureInfo' check to see if the returned content is valid XML file according to the OGC specifications?
If not, don't you think that this would be a good idea to show that GN has considered some security issues?
Thanks.
John Hockaday
Geoscience Australia
GPO Box 378
Canberra ACT 2601
(02) 6249 9735
http://www.ga.gov.au/
john.hockaday\@ga.gov.au
Hi John,
For the Dutch government we are implementing a small service monitoring tool that will do those kind of checks. It is part of the GeoNetwork application and will for instance show the status and availability of a particular service. Once it is matured a bit more we can also make that part of the GeoNetwork opensource trunk.
Ciao,
Jeroen
On Dec 12, 2008, at 3:24 AM, <John.Hockaday@anonymised.com> <John.Hockaday@anonymised.com > wrote:
Hi All,
We haven't been able to do any OGC requests to external WMS, WFS and WCS because the "GET" and "POST" HTTP commands are blocked through our firewall. The requests are blocked for security reasons. This prompts me to ask, does GN do some checking to see if the stated WMS URL is actually a WMS? For example, does it try a 'GetCapabilities' request and then validate the returned XML to see if it is valid capabilities version X.X.X XML file?
Similarly does GN then check the returned content from 'GetMap' and 'GetFeatureInfo' check to see if the returned content is valid XML file according to the OGC specifications?
If not, don't you think that this would be a good idea to show that GN has considered some security issues?
Thanks.
John Hockaday
Geoscience Australia
GPO Box 378
Canberra ACT 2601
(02) 6249 9735
http://www.ga.gov.au/
john.hockaday\@ga.gov.au
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
HI Jeroen,
Thanks for the reply. It looks like this sort of security is ideal for me (and probably others around the world). I look forward to its implementation in the branch.
Thanks.
John
-----Original Message-----
From: Jeroen Ticheler [mailto:Jeroen.Ticheler@anonymised.com]
Sent: Friday, 12 December 2008 11:46 PM
To: Hockaday John
Cc: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] Does GeoNetwork do any
checking of the resutls from OGC requests? [SEC=UNCLASSIFIED]
Hi John,
For the Dutch government we are implementing a small service
monitoring tool that will do those kind of checks. It is part of the
GeoNetwork application and will for instance show the status and
availability of a particular service. Once it is matured a bit more we
can also make that part of the GeoNetwork opensource trunk.
Ciao,
Jeroen
On Dec 12, 2008, at 3:24 AM, <John.Hockaday@anonymised.com>
<John.Hockaday@anonymised.com
> wrote:
> Hi All,
>
> We haven't been able to do any OGC requests to external WMS, WFS and
> WCS because the "GET" and "POST" HTTP commands are blocked through
> our firewall. The requests are blocked for security reasons. This
> prompts me to ask, does GN do some checking to see if the stated WMS
> URL is actually a WMS? For example, does it try a 'GetCapabilities'
> request and then validate the returned XML to see if it is valid
> capabilities version X.X.X XML file?
>
> Similarly does GN then check the returned content from 'GetMap' and
> 'GetFeatureInfo' check to see if the returned content is valid XML
> file according to the OGC specifications?
>
> If not, don't you think that this would be a good idea to show that
> GN has considered some security issues?
>
> Thanks.
>
>
> John Hockaday
> Geoscience Australia
> GPO Box 378
> Canberra ACT 2601
> (02) 6249 9735
> http://www.ga.gov.au/
> john.hockaday\@ga.gov.au
>
>
--------------------------------------------------------------
----------------
> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas,
> Nevada.
> The future of the web can't happen without you. Join us at MIX09 to
> help
> pave the way to the Next Web now. Learn more and register at
>
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009
.visitmix.com/
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork
Hi Jeroen,
I was wondering if this code (that validates the XML from a WMS) has gone into the trunk? If not, can you indicate where it is and if we can get it into our version of GN which is 2.2.0?
Thanks.
John
-----Original Message-----
From: Hockaday John
Sent: Monday, 15 December 2008 10:01 AM
To: 'Jeroen Ticheler'
Cc: geonetwork-devel@lists.sourceforge.net
Subject: RE: [GeoNetwork-devel] Does GeoNetwork do any
checking of the resutls from OGC requests? [SEC=UNCLASSIFIED]
HI Jeroen,
Thanks for the reply. It looks like this sort of security is
ideal for me (and probably others around the world). I look
forward to its implementation in the branch.
Thanks.
John
> -----Original Message-----
> From: Jeroen Ticheler [mailto:Jeroen.Ticheler@anonymised.com]
> Sent: Friday, 12 December 2008 11:46 PM
> To: Hockaday John
> Cc: geonetwork-devel@lists.sourceforge.net
> Subject: Re: [GeoNetwork-devel] Does GeoNetwork do any
> checking of the resutls from OGC requests? [SEC=UNCLASSIFIED]
>
>
> Hi John,
> For the Dutch government we are implementing a small service
> monitoring tool that will do those kind of checks. It is part of the
> GeoNetwork application and will for instance show the status and
> availability of a particular service. Once it is matured a
bit more we
> can also make that part of the GeoNetwork opensource trunk.
> Ciao,
> Jeroen
>
> On Dec 12, 2008, at 3:24 AM, <John.Hockaday@anonymised.com>
> <John.Hockaday@anonymised.com
> > wrote:
>
> > Hi All,
> >
> > We haven't been able to do any OGC requests to external
WMS, WFS and
> > WCS because the "GET" and "POST" HTTP commands are blocked through
> > our firewall. The requests are blocked for security
reasons. This
> > prompts me to ask, does GN do some checking to see if the
stated WMS
> > URL is actually a WMS? For example, does it try a
'GetCapabilities'
> > request and then validate the returned XML to see if it is valid
> > capabilities version X.X.X XML file?
> >
> > Similarly does GN then check the returned content from
'GetMap' and
> > 'GetFeatureInfo' check to see if the returned content is valid XML
> > file according to the OGC specifications?
> >
> > If not, don't you think that this would be a good idea to
show that
> > GN has considered some security issues?
> >
> > Thanks.
> >
> >
> > John Hockaday
> > Geoscience Australia
> > GPO Box 378
> > Canberra ACT 2601
> > (02) 6249 9735
> > http://www.ga.gov.au/
> > john.hockaday\@ga.gov.au
> >
> >
> --------------------------------------------------------------
> ----------------
> > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in
Las Vegas,
> > Nevada.
> > The future of the web can't happen without you. Join us
at MIX09 to
> > help
> > pave the way to the Next Web now. Learn more and register at
> >
> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009
.visitmix.com/
> _______________________________________________
> GeoNetwork-devel mailing list
> GeoNetwork-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
> GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork
>
Hi,
For clarification, the small service monitoring tool we implemented for the project Jeroen mentioned, basically does the following:
1. check if metadata (either ISO19115/ISO19139 or ISO19119/ISO19139) has information on a WMS or WFS service
2. if so, then try to create one WMS or WFS request (GetMap resp. GetFeature) per service, based on the metadata and some elements of the Capabilities document. Note that there is no actual XML validation of the Capabilities document, but this shouldn't be that difficult to implement. Anyway, if a request is succesfully created it is stored in the database, let's call this the monitoringrequest.
3. The monitoringrequest is sent to the service at set intervals and the response is checked. If the response mime-type (still a basic check!) seems to be valid (e.g. an image for WMS of an XML doc for WFS), it is saved as being succesfull.
4. A service can then be used to request for statistics on the "uptime" based on these monitoringrequests over a certain period.
For this project, it was not ment as a validation tool for services, but just for checking availability / uptime in abasic way.
It probably is not generic enough yet, since there are some assumptions based on the Dutch implementation and requirements, but it may serve as a basis for further development.
So if people find this interesting, I (or maybe in cooperation with Jeroen) can try to get the code in GN's code repository somewhere. (I'm afraid I don't have time at short notice to make it generic.)
Best regards,
Thijs
John.Hockaday@anonymised.com wrote:
Hi Jeroen,
I was wondering if this code (that validates the XML from a WMS) has gone into the trunk? If not, can you indicate where it is and if we can get it into our version of GN which is 2.2.0?
Thanks.
John
-----Original Message-----
From: Hockaday John
Sent: Monday, 15 December 2008 10:01 AM
To: 'Jeroen Ticheler'
Cc: geonetwork-devel@lists.sourceforge.net
Subject: RE: [GeoNetwork-devel] Does GeoNetwork do any
checking of the resutls from OGC requests? [SEC=UNCLASSIFIED]
HI Jeroen,
Thanks for the reply. It looks like this sort of security is
ideal for me (and probably others around the world). I look
forward to its implementation in the branch.
Thanks.
John
-----Original Message-----
From: Jeroen Ticheler [mailto:Jeroen.Ticheler@anonymised.com]
Sent: Friday, 12 December 2008 11:46 PM
To: Hockaday John
Cc: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] Does GeoNetwork do any
checking of the resutls from OGC requests? [SEC=UNCLASSIFIED]
Hi John,
For the Dutch government we are implementing a small service
monitoring tool that will do those kind of checks. It is part of the
GeoNetwork application and will for instance show the status and
availability of a particular service. Once it is matured a
bit more we
can also make that part of the GeoNetwork opensource trunk.
Ciao,
Jeroen
On Dec 12, 2008, at 3:24 AM, <John.Hockaday@anonymised.com>
<John.Hockaday@anonymised.com
> wrote:
Hi All,
We haven't been able to do any OGC requests to external
WMS, WFS and
WCS because the "GET" and "POST" HTTP commands are blocked through
our firewall. The requests are blocked for security
reasons. This
prompts me to ask, does GN do some checking to see if the
stated WMS
URL is actually a WMS? For example, does it try a
'GetCapabilities'
request and then validate the returned XML to see if it is valid
capabilities version X.X.X XML file?
Similarly does GN then check the returned content from
'GetMap' and
'GetFeatureInfo' check to see if the returned content is valid XML
file according to the OGC specifications?
If not, don't you think that this would be a good idea to
show that
GN has considered some security issues?
Thanks.
John Hockaday
Geoscience Australia
GPO Box 378
Canberra ACT 2601
(02) 6249 9735
http://www.ga.gov.au/
john.hockaday\@ga.gov.au
--------------------------------------------------------------
----------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in
Las Vegas,
Nevada.
The future of the web can't happen without you. Join us
at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009
.visitmix.com/
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork