True, but xdmp:unpath also isn't nearly as susceptible to injection attacks as more powerful functions are.
There is a gradient of increasing power and increasing risk, from the relatively safe xdmp:unpath to xdmp:value, xdmp:invoke, xdmp:spawn, and xdmp:eval. To avoid injection attacks, check your inputs and use the least-powerful function that you can. A timestamp assert can also be a useful tool, since it ensures that the query is read-only. -- Mike On 2 Dec 2011, at 10:29 , Joseph Bryan wrote: > There are substantial limitations xdmp:unpath(). It can only process > XPath expressions that would be returned by xdmp:path(). In my > experience, that includes child nodes and positional predicates. > > http://docs.marklogic.com/5.0doc/docapp.xqy#search.xqy?start=1&cat=all&query=xdmp:unpath&button=search > > Thanks. > > -jb > > On Fri, Dec 2, 2011 at 1:22 PM, Lewon, Paul <[email protected]> wrote: >> It does work. >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Lee, David >> Sent: Friday, December 02, 2011 1:19 PM >> To: General MarkLogic Developer Discussion >> Subject: Re: [MarkLogic Dev General] xdmp:unquote of a path and "Invalid >> root text " >> >> Did that work ? >> I wouldnt expect it to. XQuery doesnt support dynamic xpath expansion so I >> dont execpt that to work. >> >> >> ---------------------------------------- >> David A. Lee >> Senior Principal Software Engineer >> Epocrates, Inc. >> [email protected] >> 812-482-5224 >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Lewon, Paul >> Sent: Friday, December 02, 2011 1:09 PM >> To: General MarkLogic Developer Discussion >> Subject: Re: [MarkLogic Dev General] xdmp:unquote of a path and "Invalid >> root text " >> >> Yes! >> >> Thanks Joseph. >> >> Paul >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Joseph Bryan >> Sent: Friday, December 02, 2011 1:06 PM >> To: General MarkLogic Developer Discussion >> Subject: Re: [MarkLogic Dev General] xdmp:unquote of a path and "Invalid >> root text " >> >> Hi Paul, >> >> I think your looking for xdmp:unpath(). xdmp:unquote() expands escaped >> xml strings into xml elements. >> >> example: >> >> let $string := "<root>child text<child-element />more text</root>" >> return xdmp:unquote($string) >> >> Thanks. >> >> -jb >> >> On Fri, Dec 2, 2011 at 12:46 PM, Lewon, Paul <[email protected]> wrote: >>> Hi all, >>> >>> >>> >>> I must be misunderstanding something fundamental. If I do this: >>> >>> >>> >>> xquery version "1.0-ml"; >>> >>> >>> >>> declare namespace clml = >>> "http://www.xml.cengage.learning-marklogic.com/marklogic";; >>> >>> declare namespace clg = >>> "http://www.xml.cengage-learning-gale.com/docbook-core";; >>> >>> >>> >>> >>> >>> let $attribute-sequence := >>> /clml:resource/clml:content/clg:article/clg:section/clg:para/clg:emphasis/@* >>> >>> return fn:distinct-values($attribute-sequence) >>> >>> >>> >>> I get the results I expect. But if I do this. >>> >>> >>> >>> xquery version "1.0-ml"; >>> >>> >>> >>> declare namespace clml = >>> "http://www.xml.cengage.learning-marklogic.com/marklogic";; >>> >>> declare namespace clg = >>> "http://www.xml.cengage-learning-gale.com/docbook-core";; >>> >>> >>> >>> let $path := >>> '/clml:resource/clml:content/clg:article/clg:section/clg:para/clg:emphasis' >>> >>> let $attribute-sequence := xdmp:unquote($path)/@* >>> >>> return fn:distinct-values($attribute-sequence) >>> >>> >>> >>> I get an "Invalid Root Text" error. What am I missing? >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Paul Lewon >>> >>> Content Systems, Global Production & Manufacturing Services >>> >>> Cengage Learning >>> >>> 27500 Drake Rd. Farmington Hills, MI 48331 >>> >>> >>> >>> (: 248-699-4253, ext. 1602 | *: [email protected] | www.cengage.com >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> General mailing list >>> [email protected] >>> http://developer.marklogic.com/mailman/listinfo/general >>> >> _______________________________________________ >> General mailing list >> [email protected] >> http://developer.marklogic.com/mailman/listinfo/general >> _______________________________________________ >> General mailing list >> [email protected] >> http://developer.marklogic.com/mailman/listinfo/general >> _______________________________________________ >> General mailing list >> [email protected] >> http://developer.marklogic.com/mailman/listinfo/general >> _______________________________________________ >> General mailing list >> [email protected] >> http://developer.marklogic.com/mailman/listinfo/general > _______________________________________________ > General mailing list > [email protected] > http://developer.marklogic.com/mailman/listinfo/general > _______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
