Markus Winand <markus.win...@winand.at> writes:
> The XML output of explain potentially outputs the XML tag names
> and "I/O-Read-Time", which are invalid due to the slash.
> Although the patch fixes the problem for the moment, it is incomplete in that
> sense that it continues to check against an incomplete black list. I guess
> this is how it slipped in: XML explain was added in 9.0, I/O timings in 9.2.
Yeah. The whitelist approach would look something like
appendStringInfoChar(es->str, strchr(XMLCHARS, *s) ? *s : '-');
which would be quite a few more cycles than just testing for ' ' and '/'.
So I'm not sure it's worth it. On the other hand, I have little faith
that we wouldn't make a similar mistake in future.
regards, tom lane
Sent via pgsql-hackers mailing list (firstname.lastname@example.org)
To make changes to your subscription: