[lxml-dev] Preventing XPath injection
Alex Klizhentas
klizhentas at gmail.com
Sat Sep 6 19:52:30 CEST 2008
That's strange, I thought it should be quoted like: '
2008/9/6 Geoffrey Sneddon <foolistbar at googlemail.com>
>
> On 6 Sep 2008, at 13:18, Alex Klizhentas wrote:
>
> Hi All, I'm facing the following issue:
>>
>> xslt transformations accept xpath expressions as parameters, and if you
>> write something like:
>>
>> transform(a,param = " ' ' ' ") - xpath evaluation will fail. Is there
>> any
>> common/standard way to prevent that?
>>
>
> No, what I've been using is:
>
> def escapeXPathString(string):
> return u"concat('', '%s')" % string.replace(u"'", u"', \"'\", '")
>
> The first parameter to the concat function is needed because it must always
> have at least two parameters.
>
>
> --
> Geoffrey Sneddon
> <http://gsnedders.com/>
>
>
--
Regards,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://codespeak.net/pipermail/lxml-dev/attachments/20080906/e47974f8/attachment-0001.htm
More information about the lxml-dev
mailing list