Hi Alex Thanks for the quick response.
1) JCR SQL and XPath are read-only (not DROP table attacks) Indeed, that makes it much more secure. > 2) XPath syntax is much more specific, so you cannot easily add > another statement in an injection "cannot easily add" is not very reassuring in a security context ;-) But taken 1), the worst thing that could happen is that the user gets more results. Providing ACL in jsr283 is going to work fine, the user has no access to hidden information. > > > http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java?view=markup Thanks for that, didn't know. Marc
