1. Forum
  2. Usenet
  3. COMP.TEXT.XML

  • implementing SSI (server-side-include) like structure

    From weiwu.zhang@alphawallet.com@21:1/5 to All on Tue Oct 23 01:41:22 2018
    Hello! Let's suppose there is an XML file for a security token device where some XHTML is allowed (in the <introduction>)

    <?xml version="1.0" encoding="UTF-8"?>
    <t:token xmlns:t="http://alphawallet.io/ns/token"
    xmlns="http://www.w3.org/1999/xhtml">
    <t:appearance>
    <t:name>Security Token</t:name>
    <t:introduction lang="en">
    <h1>Instructions to open the office door</h1>
    <img alt="A numeric pad with 10 digits, with asterisk on the lower-left corner and number sign on the lower-right corner."

    src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGoAAABUAQMAAABQnzAJAAAABlBMVEX///8AAABVwtN+AAAACXBI
    WXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH4goXCAQH5D1msQAAAUdJREFUOMvVkzFSwzAQRf/KArtg gulTaHICH4AZFCofipmo8AE4AkfREXKEHMElnfkryQ4xDE0oQONi32il3f+1Bn5c1TSNeJqmHOBO vwjEFKBjQsWsTgPAAWKIrQaAR8CALRpfjwy9KO6IaInBBPTYwwaeY6pVFEWfTioaxbigXZITNopt SR8YlZszOqJ1DF09sqsDu6qifOl5pWil95p1nXWeEg6UIKekKBI9kTkUL57yPeXb5LK5RKv4QrxJ 1jW+OHmbrLs/FZ9ttk4LiXqVrVN81kLJOj6awSO7kj9sXXrfzdykzsCAh1mCpwgOQygCVVPP3SJf 93uetcF0C+quHJcxc6GM2QrzmGkhuGXqNsQqpjIXD/pPpg7lh5Wzot2Mwb6WH1bSIJm3gvW7osTv dzMuZ1Nyvnl/LoTPhXJXW31Q96vWfQA1zLLR3ye5DwAAAABJRU5ErkJggg==" style="float: left;"/>
    <ol>
    <li>Key in the office number you are going to access.</li>
    <li>Wait for the beep</li>
    <li>Door opens automatically.</li>
    </ol>
    </t:introduction>
    <t:certificates>...(cryptogrpahic stuff)...</t:certificates>
    </t:token>

    Element <introduction> has the corresponding schema to allow HTML segments:

    <xs:import namespace="http://www.w3.org/1999/xhtml"
    schemaLocation="xhtml11.xsd"/>
    <xs:element name="introduction" type="xh:xhtml.div.type"/>

    For security reasons, the device is not connected to the Internet at the outset, hence the image illustrating how to use it is encoded in base64. The XML file is shipped with the security device which is a system-on-chip computer with NFC and some other
    security authentication hardware.

    It works alright and worked for a few months until the product manager comes and say: "some users whose certificate has expired will need to talk to the intercom to ask for the door lock to be overridden, and the security device should give clear
    messages to guide such users."

    So here comes the second XML with this feature added by a newly invented <when> element inserted in the latter half of <introduction>:

    <?xml version="1.0" encoding="UTF-8"?>
    <t:token xmlns:t="http://alphawallet.io/ns/token"
    xmlns="http://www.w3.org/1999/xhtml">
    <t:appearance>
    <t:name>Security Token</t:name>
    <t:introduction lang="en">
    <h1>Instructions to open the office door</h1>
    <img alt="A numeric pad with 10 digits, with asterisk on the lower-left corner and number sign on the lower-right corner."

    src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGoAAABUAQMAAABQnzAJAAAABlBMVEX///8AAABVwtN+AAAACXBI
    WXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH4goXCAQH5D1msQAAAUdJREFUOMvVkzFSwzAQRf/KArtg gulTaHICH4AZFCofipmo8AE4AkfREXKEHMElnfkryQ4xDE0oQONi32il3f+1Bn5c1TSNeJqmHOBO vwjEFKBjQsWsTgPAAWKIrQaAR8CALRpfjwy9KO6IaInBBPTYwwaeY6pVFEWfTioaxbigXZITNopt SR8YlZszOqJ1DF09sqsDu6qifOl5pWil95p1nXWeEg6UIKekKBI9kTkUL57yPeXb5LK5RKv4QrxJ 1jW+OHmbrLs/FZ9ttk4LiXqVrVN81kLJOj6awSO7kj9sXXrfzdykzsCAh1mCpwgOQygCVVPP3SJf 93uetcF0C+quHJcxc6GM2QrzmGkhuGXqNsQqpjIXD/pPpg7lh5Wzot2Mwb6WH1bSIJm3gvW7osTv dzMuZ1Nyvnl/LoTPhXJXW31Q96vWfQA1zLLR3ye5DwAAAABJRU5ErkJggg==" style="float: left;"/>
    <ol>
    <li>Key in the office number you are going to access.</li>
    <li>Wait for the beep</li>
    <li>
    <t:when certificate="valid">Door opens automatically.</t:when>
    <t:when certificate="invalid">Someone on the Intercome will talk to you</t:when>
    </li>
    </ol>
    </t:introduction>
    <t:certificates>...(cryptogrpahic stuff)...</t:certificates>
    </t:token>


    This won't pass validation because xhtml.div.type does not allow <t:when>, even if it is defined in the security token XML's schema.

    This newly invented <when> element reminded me of SSI - server-side-include, which is a primal way of getting the web pages a bit dynamic back in the 90s with simple if-else-then buried in HTML comments. It has fallen out of use because it wasn't as
    flexible as javascript or JSP. But it may still be applied here where we don't want much flexibility, given the security context.

    One way to work around this limitation of not being able to insert conditional elements in the XHTML segment is to put <when> tag around the entire XHTML message:

    <t:when certificate="valid"><t:introduction>...</t:introduction></t:when> <t:when certificate="invalid"><t:introduction>...</t:introduction></t:when>

    But that means the entire thing including the base64 encoded image has to be repeated, making editing more difficult.

    Is there a way to enable the SSI-like behaviour in this context? (which is not a server-client context but entirely local.)

    Thanks a lot!

    P.S. the security device token is actually a made-up scenario. I am actually curious about how flexible XML allows this kind of tear-it-apart.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)