From: Adam R. <ad...@ex...> - 2012-09-07 15:35:25
|
I dont know of an existing regexp, but you could build a regexp based on the BNF defined in the spec here - http://www.w3.org/TR/REC-xml/#sec-starttags Maybe simpler is just to try and construct an xs:QName() from your element or attribute name inside of a try {} catch {} block, if its not a valid QName it aint a valid element or attribute name ;-) On 7 September 2012 16:23, Dave Finton <dav...@gm...> wrote: > I'm in the process of putting together a script that takes a user-supplied > or system-defined string (via a URL parameter usually) and using that string > as part of an XPath expression that will ultimately be processed in a > util:eval(...) function call. One of the problems with this is the potential > for security vulnerabilities through code injection, so I want to make sure > the user-defined string passes a few tests before passing it along to > util:eval. One such test is to make sure the user-supplied string is in fact > a valid XML element and/or attribute name. Here's where I ran into a > problem. > > I started off on what I thought would be a 15-minute research project: find > a regex I can use in XQuery (i.e. something i can use in the fn:matches(...) > function) that I could use to validate or invalidate that a given arbitrary > string was a valid XML element and/or attribute label. I'm found some > example in Java, PHP, and other languages, but nothing for XQuery. Even > worse, the examples I did find were in comment threads where no one seemed > to agree what the "correct" solution is. I went through "official" > documentation from various sources including those from the w3schools web > site as well, to no avail. > > The most helpful thing I could find were the following rules in plain > English (from w3schools): > > Names can contain letters, numbers, and other characters > Names cannot start with a number or punctuation character > Names cannot start with the letters xml (or XML, or Xml, etc) > Names cannot contain spaces > > > Now I am in the process of putting together my own regex checking algorithm, > but I haven't had much luck in getting it to work correctly. I figured I > would ask the greater community if there was a quick solution before I spend > too many hours trying to solve what I hoped would be a relatively simple > problem. :-) > > eXist details: > eXist 2.1 trunk, rev 17098 > Java 1.6 > MacOS X 10.7.4 > > -- > David Finton > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Exist-open mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-open > -- Adam Retter eXist Developer { United Kingdom } ad...@ex... irc://irc.freenode.net/existdb |