Markus Winand <markus.win...@winand.at> writes:
> The XML output of explain potentially outputs the XML tag names 
> "I/O-Write-Time"
> and "I/O-Read-Time", which are invalid due to the slash.

Ooops.

> Although the patch fixes the problem for the moment, it is incomplete in that
> sense that it continues to check against an incomplete black list. I guess
> this is how it slipped in: XML explain was added in 9.0, I/O timings in 9.2.

Yeah.  The whitelist approach would look something like

        appendStringInfoChar(es->str, strchr(XMLCHARS, *s) ? *s : '-');

which would be quite a few more cycles than just testing for ' ' and '/'.
So I'm not sure it's worth it.  On the other hand, I have little faith
that we wouldn't make a similar mistake in future.

                        regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to