Markus Winand <> writes:
> The XML output of explain potentially outputs the XML tag names 
> "I/O-Write-Time"
> and "I/O-Read-Time", which are invalid due to the slash.


> Although the patch fixes the problem for the moment, it is incomplete in that
> sense that it continues to check against an incomplete black list. I guess
> this is how it slipped in: XML explain was added in 9.0, I/O timings in 9.2.

Yeah.  The whitelist approach would look something like

        appendStringInfoChar(es->str, strchr(XMLCHARS, *s) ? *s : '-');

which would be quite a few more cycles than just testing for ' ' and '/'.
So I'm not sure it's worth it.  On the other hand, I have little faith
that we wouldn't make a similar mistake in future.

                        regards, tom lane

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to