The term CDATA, meaning character data, is used for distinct, but related, purposes in the markup languages SGML and XML. The term indicates that a certain portion of the document is general character data, rather than non-character data or character data with a more specific, limited structure.
CDATA sections in XML
In an XML document or external entity, a CDATA section is a piece of element content that is marked up to be interpreted literally, as textual data, not as marked-up content.[1] A CDATA section is merely an alternative syntax for expressing character data; there is no semantic difference between character data in a CDATA section and character data in standard syntax where, for example, "<
" and "&
" are represented by "<
" and "&
", respectively.
Syntax and interpretation
A CDATA section starts with the following sequence:
<![CDATA[
and ends with the next occurrence of the sequence:
]]>
All characters enclosed between these two sequences are interpreted as characters, not markup or entity references. Every character is taken literally, the only exception being the ]]>
sequence of characters. In:
<sender>John Smith</sender>
the start and end "sender" tags are interpreted as markup. However, the code:
<![CDATA[<sender>John Smith</sender>]]>
is equivalent to:
<sender>John Smith</sender>
Thus, the "tags" will have exactly the same status as the "John Smith"; they will be treated as text.
Similarly, if the numeric character reference ð
appears in element content, it will be interpreted as the single Unicode character 00F0 (small letter eth). But if the same appears in a CDATA section, it will be parsed as six characters: ampersand, hash mark, digit 2, digit 4, digit 0, semicolon.
Uses of CDATA sections
New authors of XML documents often misunderstand the purpose of a CDATA section, mistakenly believing that its purpose is to "protect" data from being treated as ordinary character data during processing. Some APIs for working with XML documents do offer options for independent access to CDATA sections, but such options exist above and beyond the normal requirements of XML processing systems, and still do not change the implicit meaning of the data. Character data is character data, regardless of whether it is expressed via a CDATA section or ordinary markup. CDATA sections are useful for writing XML code as text data within an XML document. For example, if one wishes to typeset a book with XSL explaining the use of an XML application, the XML markup to appear in the book itself will be written in the source file in a CDATA section.
Nesting
A CDATA section cannot contain the string "]]>
" and therefore it is not possible for a CDATA section to contain nested CDATA sections. The preferred approach to using CDATA sections for encoding text that contains the triad "]]>
" is to use multiple CDATA sections by splitting each occurrence of the triad just before the ">
". For example, to encode "]]>
" one would write:
<![CDATA[]]]]><![CDATA[>]]>
This means that to encode "]]>
" in the middle of a CDATA section, replace all occurrences of "]]>
" with the following:
]]]]><![CDATA[>
This effectively stops and restarts the CDATA section.
Issues with encoding
In text data, any Unicode character not available in the encoding declared in the <?xml ...?>
header can be represented using a &#nnn;
numerical character reference. But the text within a CDATA section is strictly limited to the characters available in the encoding.
Because of this, using a CDATA section programmatically to quote data that could potentially contain '&
' or '<
' characters can cause problems when the data happens to contain characters that cannot be represented in the encoding. Depending on the implementation of the encoder, these characters can get lost, can get converted to the characters of the &#nnn;
character reference, or can cause the encoding to fail. But they will not be maintained.
Another issue is that an XML document can be transcoded from one encoding to another during transport. When the XML document is converted to a more limited character set, such as ASCII, characters that can no longer be represented are converted to &#nnn;
character references for a lossless conversion. But within a CDATA section, these characters can not be represented at all, and have to be removed or converted to some equivalent, altering the content of the CDATA section.
Use of CDATA in program output
CDATA sections in XHTML documents are liable to be parsed differently by web browsers if they render the document as HTML, since HTML parsers do not recognise the CDATA start and end markers, nor do they recognise HTML entity references such as <
within <script>
tags. This can cause rendering problems in web browsers and can lead to cross-site scripting vulnerabilities if used to display data from untrusted sources, since the two kinds of parser will disagree on where the CDATA section ends.
Since it is useful to be able to use less-than signs (<
) and ampersands (&
) in web page scripts, and to a lesser extent styles, without having to remember to escape them, it is common to use CDATA markers around the text of inline <script>
and <style>
elements in XHTML documents. But so that the document can also be parsed by HTML parsers, which do not recognise the CDATA markers, the CDATA markers are usually commented-out, as in this JavaScript example:
<script type="text/javascript">
//<![CDATA[
document.write("<");
//]]>
</script>
or this CSS example:
<style type="text/css">
/*<![CDATA[*/
body { background-image: url("marble.png?width=300&height=300") }
/*]]>*/
</style>
This technique is only necessary when using inline scripts and stylesheets, and is language-specific. CSS stylesheets, for example, only support the second style of commenting-out (/* … */
), but CSS also has less need for the <
and &
characters than JavaScript and so less need for explicit CDATA markers.
CDATA in DTDs
CDATA-type attribute value
In Document Type Definition (DTD) files for SGML and XML, an attribute value may be designated as being of type CDATA: arbitrary character data. Within a CDATA-type attribute, character and entity reference markup is allowed and will be processed when the document is read.
For example, if an XML DTD contains
<!ATTLIST foo a CDATA #IMPLIED>
it means that elements named foo may optionally have an attribute named "a" which is of type CDATA. In an XML document that is valid according to this DTD, an element like this might appear:
<foo a="1 & 2 are < 3 
" />
and an XML parser would interpret the "a" attribute's value as being the character data "1 & 2 are < 3".
CDATA-type entity
An SGML or XML DTD may also include entity declarations in which the token CDATA is used to indicate that entity consists of character data. The character data may appear within the declaration itself or may be available externally, referenced by a URI. In either case, character reference and parameter entity reference markup is allowed in the entity, and will be processed as such when it is read.
<DISPLAY_NAME Attribute="Y"><![CDATA[PFTEST0__COUNTER_6__:4:199:, PFTEST0__COUNTER_7__:4:199:]]></DISPLAY_NAME>
<SVLOBJECT><LONG name="" val="" INTEGER name="" val="" LONG name="" val=""/></SVLOBJECT>