jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Speck" <marcsp...@gmail.com>
Subject Are XPath injections possible?
Date Mon, 25 Aug 2008 07:41:28 GMT
I'm not an expert for XPath (in Jackrabbit) but taken the nature of SQL
injections, I suspect that similar attacks in XPath are possible? I've just
browsed org.apache.jackrabbit.commons.query.GQL and saw in parse() that you
escape [, !, etc. Is there an escape method for user generated queries in
Jackrabbit or do you recommend to use GQL once it's out?

Thanks,
Marc

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message