[lxml-dev] Preventing XPath injection
Geoffrey Sneddon
foolistbar at googlemail.com
Sun Sep 7 20:24:30 CEST 2008
On 7 Sep 2008, at 19:05, Marius Gedminas wrote:
> XPath 1.0 is silent on the matter. I suppose you could always
> concatenate strings, e.g. concat("Look, it's a ", '"quoted
> string"!')...
I just read interpreted the XML EBNF as meaning there was no escaping,
and removed leading/trailing quote char for it to be logical. Which
seems to be how things work.
--
Geoffrey Sneddon
<http://gsnedders.com/>
More information about the lxml-dev
mailing list