I'm not an expert for XPath (in Jackrabbit) but taken the nature of SQL injections, I suspect that similar attacks in XPath are possible? I've just browsed org.apache.jackrabbit.commons.query.GQL and saw in parse() that you escape [, !, etc. Is there an escape method for user generated queries in Jackrabbit or do you recommend to use GQL once it's out?
Thanks, Marc
