[lxml-dev] Preventing XPath injection
Geoffrey Sneddon
foolistbar at googlemail.com
Sat Sep 6 15:24:59 CEST 2008
On 6 Sep 2008, at 13:18, Alex Klizhentas wrote:
> Hi All, I'm facing the following issue:
>
> xslt transformations accept xpath expressions as parameters, and if
> you
> write something like:
>
> transform(a,param = " ' ' ' ") - xpath evaluation will fail. Is
> there any
> common/standard way to prevent that?
No, what I've been using is:
def escapeXPathString(string):
return u"concat('', '%s')" % string.replace(u"'", u"', \"'\", '")
The first parameter to the concat function is needed because it must
always have at least two parameters.
--
Geoffrey Sneddon
<http://gsnedders.com/>
More information about the lxml-dev
mailing list