- From: Liam Quin <liam@w3.org>
- Date: Fri, 11 Sep 2015 14:52:04 -0400
- To: Michael Dyck <jmdyck@ibiblio.org>
- Cc: public-xsl-query@w3.org
On 2015-09-11 14:33, Michael Dyck wrote: he non-interpolating one is less useful. > > But if you discard the non-interpolating one, how do you achieve its > effect? You use the interpolating one, and make sure the delimiter doesn't occur inside it, or you use string concatenation. The interpolating version should be fine for the JSON, JavaScript and CSS cases, which are currently very error-prone and difficult in XQuery because of their mix of curly braces, < > and $, and quotes... fine as long as the delimiter is unlikely to occur. If it does occur you can use string concatenation of two "smart quotes" blocks. There's a small danger here of interpolation injection attacks, in the case that people are generating queries and think they can use ~~{ .... }~~ (or whatever) to avoid having to sanitize user data. This is comparable to CDATA injection, and exists with all kinds of quoting mechanisms. By not having the non-interpolating version we're not losing functionality we had before, but we are also not gaining quite as much expressive power - I agree. -- Liam Quin, W3C XML Activity Lead; Digital publishing; HTML Accessibility
Received on Friday, 11 September 2015 18:52:06 UTC