- From: Liam Quin <liam@w3.org>
- Date: Fri, 11 Sep 2015 14:52:04 -0400
- To: Michael Dyck <jmdyck@ibiblio.org>
- Cc: public-xsl-query@w3.org
On 2015-09-11 14:33, Michael Dyck wrote:
he non-interpolating one is less useful.
>
> But if you discard the non-interpolating one, how do you achieve its
> effect?
You use the interpolating one, and make sure the delimiter doesn't occur
inside it,
or you use string concatenation.
The interpolating version should be fine for the JSON, JavaScript and
CSS cases,
which are currently very error-prone and difficult in XQuery because of
their mix
of curly braces, < > and $, and quotes... fine as long as the delimiter
is unlikely
to occur. If it does occur you can use string concatenation of two
"smart quotes" blocks.
There's a small danger here of interpolation injection attacks, in the
case that people are generating queries and think they can use ~~{ ....
}~~ (or whatever) to avoid having to sanitize user data. This is
comparable to CDATA injection, and exists with all kinds of quoting
mechanisms.
By not having the non-interpolating version we're not losing
functionality we had before, but we are also not gaining quite as much
expressive power - I agree.
--
Liam Quin, W3C
XML Activity Lead;
Digital publishing; HTML Accessibility
Received on Friday, 11 September 2015 18:52:06 UTC