7 Sep 2008 20:05
Re: Preventing XPath injection
Marius Gedminas <marius <at> pov.lt>
2008-09-07 18:05:58 GMT
2008-09-07 18:05:58 GMT
On Sun, Sep 07, 2008 at 12:16:25PM -0500, Ian Bicking wrote:
> Geoffrey Sneddon wrote:
> > On 6 Sep 2008, at 18:52, Alex Klizhentas wrote:
> >
> >> That's strange, I thought it should be quoted like: '
> >
> > Nope. A string is "[^"]*" or '[^']*' — it is exactly what is between
> > the quotes.
>
> When I was trying to figure out CSS to XPath translation, I tried to
> figure out how string quoting worked in XPath. Unfortunately I couldn't
> find any reference to string quoting in the specs (though of course I
> might have missed it). This seemed like a very peculiar omission.
XPath 2.0 spec rectifies that:
The value of a string literal is an atomic value whose type is
xs:string and whose value is the string denoted by the characters
between the delimiting apostrophes or quotation marks. If the literal
is delimited by apostrophes, two adjacent apostrophes within the
literal are interpreted as a single apostrophe. Similarly, if the
literal is delimited by quotation marks, two adjacent quotation marks
within the literal are interpreted as one quotation mark.
-- http://www.w3.org/TR/xpath20/#id-literals
XPath 1.0 is silent on the matter. I suppose you could always
concatenate strings, e.g. concat("Look, it's a ", '"quoted string"!')...
Marius Gedminas
--
--
Hoping the problem magically goes away by ignoring it is the "microsoft
approach to programming" and should never be allowed.
-- Linus Torvalds
_______________________________________________ lxml-dev mailing list lxml-dev <at> codespeak.net http://codespeak.net/mailman/listinfo/lxml-dev
RSS Feed