Re: [HACKERS] XMLATTRIBUTES vs. values of type XML

Peter Eisentraut Wed, 27 Jul 2011 07:19:09 -0700

On tis, 2011-07-26 at 22:44 +0200, Florian Pflug wrote:
> While reviewing the (now applied) XPATH escaping patches, Radoslaw
> found one
> case where the previous failure of XPATH to escape its return value
> was offset
> by XMLATTRIBUTES insistence to escape all input values, even if
> they're
> already of type XML.
> 
> To wit, if you do
> 
>   SELECT XMLELEMENT(NAME "t", XMLATTRIBUTES('&amp;'::XML AS "a"))
> 
> you get
> 
>      xmlelement     
> --------------------
>  <t a="&amp;amp;"/>


Per SQL standard, the attribute values may not be of type XML, so maybe
we should just prohibit it.


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] XMLATTRIBUTES vs. values of type XML

Reply via email to