I have found that there exists "&" in my code that's why error is showing
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(dsExport.Tables[0].Rows[i]["SubmissionData"].ToString());
The "&" is there in submissiondata . How can I remove the special characters so that the error doesn't show again ?
Thanks in advance
Replace your "&" with "&"
& is not an illegal XML character. This is not your problem. You need to log the XML that you receive, before you ask anyone about your problem. You probably need to
HTTPUtility.HTMLDecode(yourformdata)
But I smell SQL injection a long way.
Try:
XmlDocument xmlDoc = new XmlDocument();
string str = dsExport.Tables[0].Rows[i]["SubmissionData"].ToString();
str = System.Web.HTTPUtility.HTMLDecode(str);
xmlDoc.LoadXml(str);
Sorry I am replying too late but I hope it will help some other guys. This issue is because of the encoding of special characters in XML. Please find the below link which may help you https://support.google.com/checkout/sell/answer/70649?hl=en
Thanks,
Vijay Sherekar
Related
Consider the following code:
private XmlDocument CreateMessage(string dirtyInput)
{
XmlDocument xd = new XmlDocument();
string str = #"<Message><Request>%REQ%</Request><Message>";
str = str.Replace("%REQ%", dirtyInput);
xd.LoadXml(str);
return xd;
}
What steps should I take to sanitize/validate this dirtyInput string (it can come from untrusted sources)?
EDIT:
To provide a bit more context, this XML "message" is then being sent (by me) to a third party web service. I am mostly concerned with the mitigating the risk that someone could pass me a string that could possibly exploit vulnerabilities in my XML parser, or perhaps even in the parser on the target [third party] end (to whom I am sending this message). So clearly I could focus on special XML characters like < > & etc. -- do I also need to worry about escaped/encoded forms of those characters? Is the SecurityElement.Escape method mentioned in the possible dupe link adequate for this?
Since you're generating an XmlDocument, you could rely on the DOM methods to handle all escaping for you:
private XmlDocument CreateMessage(string dirtyInput)
{
XmlDocument xd = new XmlDocument();
xd.LoadXml(#"<Message><Request></Request></Message>");
xd["Message"]["Request"].InnerText = dirtyInput;
return xd;
}
Depends on what environment this string is going to be applied to (Web? Database?...)
If it is the web and you're trying to prevent XSS, this will do the trick:
HttpUtility.HtmlEncode(dirtyInput);
For databases, I'd forego sanitization in favour of paramterized queries.
As mentioned in the comments, you should wrap the dirtyinput in a Character Data section:
<![CDATA[
...
]]>
I've a little problem..
I'm using XmlNamespaceManager to parse a contex with unknown namespace..
It works really fine but I've a problem...
This is a snapshop of the generated XML
<RecordingConfig b:topic="true" xmlns="http://www.onvif.org/ver10/topics" xmlns:b="http://docs.oasis-open.org/wsn/t-1">
<JobState b:topic="true">
...
</JobState>
</RecordingConfig>
It's ok.. but I'd a little change like this:
<tns1:RecordingConfig b:topic="true" xmlns:tns1="http://www.onvif.org/ver10/topics" xmlns:b="http://docs.oasis-open.org/wsn/t-1">
<tns1::JobState b:topic="true">
...
</tns1:JobState>
</tns1:RecordingConfig>
(look the prefix tns1:)
Someone can help me, please?
Thanks in advance
For removing namespace you have to write some 15 lines of code.
Easily you can do if you know the Xmlns then just replace
xdoc is your xml File then,
xdoc.LoadXml(xdoc.OuterXml.Replace("xmlns=\"http://www.onvif.org/ver10/topics\"", ""));
then you can select any node
var node = xdoc.SelectNodes("RecordingConfig/JobState");
My xml file is as follows:
<Default>
<CareSettingName>
<Name>Hosp1/Name>
<Name>Hosp2/Name>
<Name>Hosp3/Name>
<Name>Hosp4/Name>
</CareSettingName>
<DocNames>
<Name>Doc1/Name>
<Name>Doc2/Name>
<Name>Doc3/Name>
</DocNames>
</Default>
With the following code I try to delete Hosp4:
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(localXMLfile);
XmlNode node = xmlDoc.SelectSingleNode("/Default/CareSettingName[Name='Hosp4']");
node.ParentNode.RemoveChild(node);
xmlDoc.Save(localXMLfile);
When I run this, it deletes ALL the entries in CareSettingName - not the single one I am looking for. I can't see to find the problem. Can somebody please help me?
Can anybody please help me? Thanks.
It's because you're selecting /Default/CareSettingName (when it contains a Name that equals Hosp4).
Try changing your xpath to:
/Default/CareSettingName/Name[.='Hosp4']
HttpContext.Current.Response.ContentType = "text/xml";
HttpContext.Current.Response.ContentEncoding = Encoding.UTF8;
HttpPostedFile file = HttpContext.Current.Request.Files[0];
// If file.InputSteam contains an "&", exception is thrown
XDocument doc = XDocument.Load(XmlReader.Create(file.InputStream));
HttpContext.Current.Response.Write(doc);
Is there any way to replace & with & before generating the xml document? My current code crashes whenever the file contains a &.
Thanks
Your code will only crash if it's not valid XML. For example, this should be fine:
<foo>A & B</foo>
If you've actually got
<foo>A & B</foo>
Then you haven't got an XML file. You may have something which looks a bit like XML, but it isn't really valid XML.
The best approach here isn't to transform the data on the fly - it's to fix the source of the data so that it's real XML. There's really no excuse for anything producing invalid XML in this day and age.
Additionally, there's no reason to use XmlReader.Create here - just use
XDocument doc = XDocument.Load(file.InputStream);
use HttpEncoder.HtmlEncode()
http://msdn.microsoft.com/en-us/library/system.web.util.httpencoder.aspx
you can use "& amp;" to escape "&".
In xml document, there are some characters should be escaped.
& ---- &
< ---- <
> ---- >
" ---- "
' ---- '
I have an & character in one of the xml nodes as below.
<dependents>9 & 5</dependents>
When I try to load the file as below, it is giving an error "An error occured while parsing EntityName.". Is it possible to escape this character and load successfully? Thank you.
m_InputXMLDoc = new XmlDocument();
if (System.IO.File.Exists(InputFile))
{
m_InputXMLDoc.Load(InputFile);
}
Your XML is invalid.
You need to change it to &.
Use a CDATA section
<dependents><![CDATA[9 & 5]]></dependents>