jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Jackrabbit Wiki] Update of "EncodingAndEscaping" by AlexanderKlimetschek
Date Thu, 24 Jun 2010 13:54:06 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jackrabbit Wiki" for change notification.

The "EncodingAndEscaping" page has been changed by AlexanderKlimetschek.
http://wiki.apache.org/jackrabbit/EncodingAndEscaping?action=diff&rev1=3&rev2=4

--------------------------------------------------

  String path = "/foo/" + Text.escapeIllegalJcrChars(name);
  }}}
  
- Such paths are useful for JCR methods like {{{Session.getItem(...)}}} etc.
+ Such paths are useful for JCR methods like {{{Node.addNode(...), Session.getItem(...)}}}
etc., but usually only when you create nodes in the first place. Once the node exists, its
name just needs to be passed around, but no escaping should happen for accessing the node,
since it will already be in the right form, of course.
  
  == Encoding path in queries ==
  
@@ -24, +24 @@

  String query = "/jcr:root" + ISO9075.encodePath(node.getPath()) + "/" + ISO9075.encode(name);
  }}}
  
- For a user-supplied string, this could lead to something like {{{ISO9075.encode(Text.escapeIllegalJcrChars(name))}}}.
+ For a user-supplied string, this could lead to something like {{{ISO9075.encode(Text.escapeIllegalJcrChars(name))}}}.
But in most cases the path given to a query is from a known node, so there is no need for
escaping it with {{{Text.escapeIllegalJcrChars(name)}}}, so just the ISO9075 encoding is required.
  
  == Escaping values in queries ==
  
- For values inserted into the queries, you should do escaping to prevent incorrect values
and query injection. Generally, if you enclose values in single quotes, you just need to replace
any literal single quote character with {{{''}}} (two consecutive single quote characters).
There is also a {{{Text.escapeIllegalXpathSearchChars(...)}}} method you should use for calls
to {{{jcr:contains(...)}}}.
+ For values inserted into the queries, you should do escaping to prevent incorrect values
and query injection. Generally, if you enclose values in single quotes, you just need to replace
any literal single quote character with {{{''}}} (two consecutive single quote characters).
There is also a {{{Text.escapeIllegalXpathSearchChars(...)}}} method you should use for calls
to {{{jcr:contains(...)}}} (see also [[https://issues.apache.org/jira/browse/JCR-1248|JCR-1248]]).
  
  {{{
  String q =
    "/jcr:root/foo/element(*, foo)" +
-   "[jcr:contains(@title, '" + Text.escapeIllegalXpathSearchChars(q).replaceAll("'", "''")
+ "')]" +
+   "[jcr:contains(@title, '" + Text.escapeIllegalXpathSearchChars(searchTerm).replaceAll("'",
"''") + "')]" +
    "[@itemID = '" + itemID.replaceAll("'", "''") + "']";
  }}}
  

Mime
View raw message