Hi David, You can use fn:exists(fn:QName($bad-uri, "x")). Just make sure this runs in 1.0-ml, otherwise it will throw XDMP-URI just the same. The doc() is pretty permissive by the way. Did a quick check, and I only found ^ so far that was rejected by doc()..
Cheers, Geert -----Oorspronkelijk bericht----- Van: [email protected] [mailto:[email protected]] Namens David Sewell Verzonden: woensdag 30 april 2014 16:32 Aan: General Mark Logic Developer Discussion Onderwerp: [MarkLogic Dev General] Testing for invalid URI before fn:doc() gets to it A rare 500 error showed up in our logfile recently that was the evident result of someone trying to mount an injection attack via URIs meant to pass code to PHP. We have pretty solid handling of server-side errors so there's no real security problem, but I'm a bit stumped as to how to tighten our calls to fn:doc() to prevent them handling invalid URIs. Basically, the ErrorLog.txt error was similar to XDMP-URI: (err:FODC0005) fn:doc("some.php?module=/path/with/badURI") -- Invalid URI format: "some.php?module=/path/with/badURI" where the argument to fn:doc() contained the attempted injection string. The specs for fn:doc($uri as xs:string?) say "if $uri is not a valid URI, an error may be raised [err:FODC0005]." Clear enough, and I could just put a try/catch around the call to fn:doc(). But what I'd rather do is to test for URI validity before passing the string to fn:doc() in the first place. I thought that testing along the lines of if ($string castable as xs:anyURI) then .... would do it, but that appears to return true no matter what string it receives. For example, "tug%x" castable as xs:anyURI returns true. (Saxon and BaseX return false--should MarkLogic?) Is there any alternative to try/catch here? -- David Sewell, Editorial and Technical Manager ROTUNDA, The University of Virginia Press PO Box 400314, Charlottesville, VA 22904-4314 USA Email: [email protected] Tel: +1 434 924 9973 Web: http://rotunda.upress.virginia.edu/ _______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
