On tis, 2011-07-26 at 22:44 +0200, Florian Pflug wrote: > While reviewing the (now applied) XPATH escaping patches, Radoslaw > found one > case where the previous failure of XPATH to escape its return value > was offset > by XMLATTRIBUTES insistence to escape all input values, even if > they're > already of type XML. > > To wit, if you do > > SELECT XMLELEMENT(NAME "t", XMLATTRIBUTES('&'::XML AS "a")) > > you get > > xmlelement > -------------------- > <t a="&amp;"/>
Per SQL standard, the attribute values may not be of type XML, so maybe we should just prohibit it. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers