Github user GregAlbiston commented on the issue:
https://github.com/apache/jena/pull/449
I've made updates to try and address the comments made so far.
- Now using _FmtUtils.stringForNode_ for conversion of RDFNode to
replacement string.
- Local method _validateParameterValue_ now used as values are being set to
prevent injection attack.
- Local method _validateSafeToInject_ now used when the query is being
parsed to prevent injection attack. This is called each of the target variables
for each relevant item. i.e. Not the varName supplied for the substitution but
the variable in the VALUES clause of the query that will be evaluated.
- The need for parenthesis is now determined when the query is being parsed
based on number of target variables in the VALUES clause and then, for a single
target variable, the presence of parenthesis in the query.
- Updated tests, removed methods no longer required and added additional
JavaDoc comments.
Thanks,
Greg
---
