From: Dave F. <dav...@gm...> - 2012-09-07 15:23:24
|
I'm in the process of putting together a script that takes a user-supplied or system-defined string (via a URL parameter usually) and using that string as part of an XPath expression that will ultimately be processed in a util:eval(...) function call. One of the problems with this is the potential for security vulnerabilities through code injection, so I want to make sure the user-defined string passes a few tests before passing it along to util:eval. One such test is to make sure the user-supplied string is in fact a valid XML element and/or attribute name. Here's where I ran into a problem. I started off on what I thought would be a 15-minute research project: find a regex I can use in XQuery (i.e. something i can use in the fn:matches(...) function) that I could use to validate or invalidate that a given arbitrary string was a valid XML element and/or attribute label. I'm found some example in Java, PHP, and other languages, but nothing for XQuery. Even worse, the examples I did find were in comment threads where no one seemed to agree what the "correct" solution is. I went through "official" documentation from various sources including those from the w3schools web site as well, to no avail. The most helpful thing I could find were the following rules in plain English (from w3schools): - Names can contain letters, numbers, and other characters - Names cannot start with a number or punctuation character - Names cannot start with the letters xml (or XML, or Xml, etc) - Names cannot contain spaces Now I am in the process of putting together my own regex checking algorithm, but I haven't had much luck in getting it to work correctly. I figured I would ask the greater community if there was a quick solution before I spend too many hours trying to solve what I hoped would be a relatively simple problem. :-) eXist details: eXist 2.1 trunk, rev 17098 Java 1.6 MacOS X 10.7.4 -- David Finton |