3

I'm working on a university assignment where we're building a website that allows students to see available courses, enlist in them, show them their timetable, etc. When the user sees his timetable, it is produced in XML and we're using XSLT to view it (as in a previous question I asked). There are currently two different XSLT files and the user can choose (via a dropdown menu) which "theme" he wants to use.

We were asked to allow the user to upload his own .xsl file and have it added to the list of themes (available to anyone). To accommodate this demand, I created a new XML file, called timetable_themes.xml which looks something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE TimetableThemes SYSTEM "timetable_themes.dtd" >
<TimetableThemes>
  <Theme>
    <Name>Classic</Name>
    <FileName>classic.xsl</FileName>
  </Theme>
  <Theme>
    <Name>Bullets</Name>
    <FileName>bullets.xsl</FileName>
  </Theme>
</TimetableThemes>

This file lists the different themes available and their file names. This XML file, and the XSL files reside at WebContent/timetable. The two themes currently available were designed by us, but we need to allow the user to upload his.

My question is - how do I allow a user to upload files, how do I choose where to save them in the server? and thirdly - is my XML solution for the theme list a good idea?

Community
  • 1
  • 1
Amir Rachum
  • 76,817
  • 74
  • 166
  • 248
  • XSL is rather complicated. Is it a good idea to allow users to upload their own XSL? What about the danger of a denial-of-service attack? – Raedwald Aug 05 '11 at 12:23
  • 1
    @Raedwald this is a university assignment, so it's not really optional. – Amir Rachum Aug 05 '11 at 12:24
  • `is my XML solution for the theme list a good idea?` That's [a bad idea if you consider security](http://security.stackexchange.com/questions/4410/public-xslt-xml-playground-with-php-domdocument-etc-security-risks/4417#4417). – Vineet Reynolds Aug 05 '11 at 12:42

2 Answers2

1

Shalom Amir, use this to retrieve a file upload from a form have contructed.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
1

how do I allow a user to upload files

Use <form method="post" enctype="multipart/form-data"><input type="file"> in HTML/JSP side and use Apache Commons FileUpload to parse it, or when you're already using Servlet 3.0 capable container, use HttpServletRequest#getParts(). See also How to upload files to server using JSP/Servlet?

how do I choose where to save them in the server?

At least not in the public webcontent. All new files would get lost whenever you redeploy the webapp or even when you restart the server. Store them in the local disk file system using FileOutputStream, or if that's not an option, in the DB using PreparedStatement#setBinaryStream().

is my XML solution for the theme list a good idea?

This is not a question which can be objectively answered. It really depends on too many factors. Try a discussion forum instead of a Q&A site.

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • How do I know which Servlet API I'm using? – Amir Rachum Aug 05 '11 at 15:26
  • The maximum supported servlet API version is to be determined based on the target runtime. E.g. Tomcat 7.0 supports max Servlet 3.0, Tomcat 6.0 supports max Servlet 2.5, etc. The *actually* used Servlet API version is to be determined based on the `web.xml` root declaration. Until version 2.3 a DTD is used with version number included and since version 2.4 a XSD is used with version number included and a `version` attribute. – BalusC Aug 05 '11 at 15:30