Re: Tip? from Adam Retter on 2016-08-27 (public-expath@w3.org from August 2016)

From: Adam Retter <adam@exist-db.org>
Date: Sat, 27 Aug 2016 19:07:34 +0100
To: Hans-Juergen Rennau <hrennau@yahoo.de>
Cc: Michael Kay <mike@saxonica.com>, Christian Grün <christian.gruen@gmail.com>, EXPath ML <public-expath@w3.org>
Message-ID: <CAJKLP9bTqgEkgS1Z13okMgX=69oGySxpBwrOBUmiY-jPwtR-Nw@mail.gmail.com>

I have always been somewhat wary of `eval` although I cannot deny
there are use cases for it. However, since higher-order-functions in
XQuery 3.0 I find that many (but not all) of the cases in the past
where I have seen eval used, could be replaced by function
composition; I think it might be good to keep this in mind when
constructing any dynamic evaluation module, for example, do you always
actually need to be able to evaluate any string (containing an XQuery)
or to actually evaluate a function within a different context?
util:eval can open up security issues with regards to code-injection
attacks whereas function composition can avoid this.

On 26 August 2016 at 12:01, Hans-Juergen Rennau <hrennau@yahoo.de> wrote:
> Hence my proposal to take an initiative towards EXPath standardization, now
> that we have maps.
>
> I understand the problem: EXPath is about XPath functions, and an XPath
> function cannot be required to support XQuery evaluation. But nevertheless I
> suggest to standardize an evaluation function supporting the use of variable
> declarations (and thus giving a target for explicit bindings), even if it's
> not XPath and the expression is constrained to be pure XPath (important when
> thinking of XSLT). The spec might make clear that the argument string
> consists of two parts - an optional prefix part consisting of one or more
> variable declarations using XQuery syntax - followed by the expression
> itself, which implementers might either constrain to be an XPath expression,
> or allow to be an XQuery expression.
>
>
> Michael Kay <mike@saxonica.com> schrieb am 9:28 Freitag, 26.August 2016:
>
>
>
> Michael, I wonder if your worries about preventing optimization are not
> taken care of by the approach BaseX takes. To recapitulate: the BaseX
> approach is to supply *explicit* bindings to external variables declared
> within the expression; the bindings are passed in via a map argument
> providing the name/value pairs. Example:
>
> let $x := 1 return
> xquery:eval('declare variable $y external; $y + 1', map{'y': $x})
>
>
> Ah, right, I missed that. That is of course essentially what saxon:evaluate
> does except that it predates maps, so you can only bind to one of the fixed
> names $p1 to $p9. Plus we're dealing with XPath rather than XQuery so
> there's no declaration:
>
> saxon:evaluate("$p1 + 1", $x)
>
> Michael Kay
> Saxonica
>
>
>



-- 
Adam Retter

eXist Developer
{ United Kingdom }
adam@exist-db.org
irc://irc.freenode.net/existdb

Received on Saturday, 27 August 2016 18:08:05 UTC