- From: David Booth <david@dbooth.org>
- Date: Fri, 27 Jul 2012 08:57:31 -0400
- To: Steve Harris <steve.harris@garlik.com>
- Cc: semantic-web <semantic-web@w3.org>
On Fri, 2012-07-27 at 09:41 +0100, Steve Harris wrote:
> On 2012-07-26, at 21:06, David Booth wrote:
[ . . . ]
> > The template processor knows nothing about SPARQL syntax -- it merely
> > does blind text substitution -- so this also works:
> >
> > #inputs( Fred )
> > PREFIX foaf: <http://xmlns.com/foaf/0.1/>
> > SELECT ?person
> > WHERE { ?person foaf:givenName "Fred" }
>
> This makes me very nervous. One of the main reasons for templating (in
> SQL for e.g.) is for security. People can't be relied upon to
> correctly escape query strings (and shouldn't be asked to try), and I
> don't think a non syntax-aware template language can be guaranteed to
> get the escaping right.
Absolutely. This definitely should not be used in an uncontrolled
fashion. As I state in the man page:
Hence, if you are using
this template system to generate queries, commands, HTML or anything
else that could be dangerous if inappropriate text were injected, then
you should be careful to scrub your values before invoking this
template processor.
--
David Booth, Ph.D.
http://dbooth.org/
Opinions expressed herein are those of the author and do not necessarily
reflect those of his employer.
Received on Friday, 27 July 2012 13:22:19 UTC