We do and users should, but there is a function which allows script authors to construct queries for document names so they are allowed to finish an HQL query. If the script author is malicious or if they don't properly use prepared statements then SQL can be injected into the HQL. see XWiki.searchDocuments http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xwiki/api/XWiki.html#searchDocuments%28java.lang.String%29
I hope this clears up exactly what the issue is. Caleb Gregor Schneider wrote: > Very simple question: > > Instead of manually playing cats & dogs (i.e. escaping backslashes) - > why don't you just use PreparedStatements? > > Just a thought... > > Rgds > > Gregor _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
