Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1
ID: 51785
User updated by: pecoes at gmail dot com
Reported by: pecoes at gmail dot com
Summary: No way to escape quotes for XPath
Status: Bogus
Type: Bug
Package: *XML functions
Operating System: WinXP
PHP Version: 5.3.2
Assigned To: rrichards
New Comment:
Nice! Your work-around is certainly better than mine. :)
It's still a work-around, though. :(
XPath variables would certainly be useful.
My suggestion would have been to take unilateral action and improve the
XPath standard by intoducing escape-sequences: \' \" and \\
I realize that amending a standard isn't exactly elegant, but it
certainly would make things easy on the PHP-side of things. Simply treat
your input with addslashes and you're good. From a user-perspective that
would be the most desirable solution, I suppose.
Previous Comments:
[2010-06-18 18:08:45] rricha...@php.net
simplest way is to use php functions for comparison, like compare
htmlspecialchars escaped strings:
$dom = new DOMDocument;
$domstr = "double quote: \", single quote: '";
$dom->loadXML($domstr);
$xpath = new DOMXPath($dom);
$xpath->registerNamespace("php", "http://php.net/xpath";);
$xpath->registerPHPFunctions();
$check_string = htmlspecialchars("double quote: \", single quote: '",
ENT_QUOTES
);
$q = "/test[php:functionString('htmlspecialchars', ., 3) =
'$check_string']";
echo $q."\n";
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
There is no current plan to support XPath 2.0 although possibility of
supporting
xpath variables in a future PHP version
[2010-06-18 17:05:34] pecoes at gmail dot com
We seem to misunderstand each other...
As long as there's only one type of quote - single or double - there's
no problem, but how do I escape a string with mixed quotes? How do I
quote that, so that the XPath-engine won't reject it?
[2010-06-18 16:50:06] rricha...@php.net
Jeez. Learn to properly escape strings then. I even gave you the proper
code for
your test to work. Its not a PHP bug nor a libxml2 bug so it's bogus.
Regardless
of the language you use you will hit escaping issues. If you really
think its a
bug somewhere you need to take it to the W3C.
[2010-06-18 16:33:42] pecoes at gmail dot com
Alright. It's not a PHP bug. So... what now? How do I deal with it in
PHP? Just because PHP is innocent, doesn't mean there's no need for a
fix. It's still a bug! Classifying it as "bogus" won't do a thing.
[2010-06-18 16:22:05] rricha...@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
You need to take into account PHP string escaping too.
$q = "/test[text()='\"']";
For more complex situations with mixed quote types, its a general
overall issue
with XPath not a PHP bug.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=51785
--
Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1
Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1
ID: 51785
Updated by: rricha...@php.net
Reported by: pecoes at gmail dot com
Summary: No way to escape quotes for XPath
Status: Bogus
Type: Bug
Package: *XML functions
Operating System: WinXP
PHP Version: 5.3.2
Assigned To: rrichards
New Comment:
simplest way is to use php functions for comparison, like compare
htmlspecialchars escaped strings:
$dom = new DOMDocument;
$domstr = "double quote: \", single quote: '";
$dom->loadXML($domstr);
$xpath = new DOMXPath($dom);
$xpath->registerNamespace("php", "http://php.net/xpath";);
$xpath->registerPHPFunctions();
$check_string = htmlspecialchars("double quote: \", single quote: '",
ENT_QUOTES
);
$q = "/test[php:functionString('htmlspecialchars', ., 3) =
'$check_string']";
echo $q."\n";
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
There is no current plan to support XPath 2.0 although possibility of
supporting
xpath variables in a future PHP version
Previous Comments:
[2010-06-18 17:05:34] pecoes at gmail dot com
We seem to misunderstand each other...
As long as there's only one type of quote - single or double - there's
no problem, but how do I escape a string with mixed quotes? How do I
quote that, so that the XPath-engine won't reject it?
[2010-06-18 16:50:06] rricha...@php.net
Jeez. Learn to properly escape strings then. I even gave you the proper
code for
your test to work. Its not a PHP bug nor a libxml2 bug so it's bogus.
Regardless
of the language you use you will hit escaping issues. If you really
think its a
bug somewhere you need to take it to the W3C.
[2010-06-18 16:33:42] pecoes at gmail dot com
Alright. It's not a PHP bug. So... what now? How do I deal with it in
PHP? Just because PHP is innocent, doesn't mean there's no need for a
fix. It's still a bug! Classifying it as "bogus" won't do a thing.
[2010-06-18 16:22:05] rricha...@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
You need to take into account PHP string escaping too.
$q = "/test[text()='\"']";
For more complex situations with mixed quote types, its a general
overall issue
with XPath not a PHP bug.
[2010-05-10 18:43:43] pecoes at gmail dot com
Description:
There seems to be no way to escape single or double quotes for
XPath-Queries.
given: "
/test[text()="\""] produces an error message
/test[text()="\\""] dito
/test[text()="""] finds no match
This is not a PHP-Bug, I suppose. It may be a bug in the libxml2. It
might even be a bug in the XPath Spec itself. But regardless of where
the blame lies: This is serious! How is one supposed to use user-input
in an XPath, if it cannot be escaped?
I found a work-around, but it's fugly:
$dom = new DOMDocument;
$dom->loadXML('"');
$xpath = new DOMXPath($dom);
function xquote ($str)
{
if (strpos($str, '"') === FALSE) {
return '"'.$str.'"';
}
if (strpos($str, "'") === FALSE) {
return "'".$str."'";
}
$parts = preg_split('/(")/', $str, 0,
PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY);
array_walk($parts,
function (&$val) {
if ($val == '"') $val = "'\"'";
else $val = '"'.$val.'"';
}
);
return 'concat('.implode(',', $parts).')';
}
$q = sprintf('/test[text()=%s]', xquote('"'));
if ($xpath->evaluate($q)->item(0)) {
echo 'found'; // works!
} else {
echo 'not found';
}
Test script:
---
$dom = new DOMDocument;
$dom->loadXML('"');
$xpath = new DOMXPath($dom);
$q = '/test[text()="""]';
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
$q = '/test[text()="\\""]';
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
Expected result:
found
found
Actual result:
--
not found
Warning: DOMXPath::evaluate(): Invalid predicate...
Warning: DOMXPath::evaluate(): Invalid expression...
Fatal error: Call to a member function item() on non-object...
--
Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1
Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1
ID: 51785
User updated by: pecoes at gmail dot com
Reported by: pecoes at gmail dot com
Summary: No way to escape quotes for XPath
Status: Bogus
Type: Bug
Package: *XML functions
Operating System: WinXP
PHP Version: 5.3.2
Assigned To: rrichards
New Comment:
We seem to misunderstand each other...
As long as there's only one type of quote - single or double - there's
no problem, but how do I escape a string with mixed quotes? How do I
quote that, so that the XPath-engine won't reject it?
Previous Comments:
[2010-06-18 16:50:06] rricha...@php.net
Jeez. Learn to properly escape strings then. I even gave you the proper
code for
your test to work. Its not a PHP bug nor a libxml2 bug so it's bogus.
Regardless
of the language you use you will hit escaping issues. If you really
think its a
bug somewhere you need to take it to the W3C.
[2010-06-18 16:33:42] pecoes at gmail dot com
Alright. It's not a PHP bug. So... what now? How do I deal with it in
PHP? Just because PHP is innocent, doesn't mean there's no need for a
fix. It's still a bug! Classifying it as "bogus" won't do a thing.
[2010-06-18 16:22:05] rricha...@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
You need to take into account PHP string escaping too.
$q = "/test[text()='\"']";
For more complex situations with mixed quote types, its a general
overall issue
with XPath not a PHP bug.
[2010-05-10 18:43:43] pecoes at gmail dot com
Description:
There seems to be no way to escape single or double quotes for
XPath-Queries.
given: "
/test[text()="\""] produces an error message
/test[text()="\\""] dito
/test[text()="""] finds no match
This is not a PHP-Bug, I suppose. It may be a bug in the libxml2. It
might even be a bug in the XPath Spec itself. But regardless of where
the blame lies: This is serious! How is one supposed to use user-input
in an XPath, if it cannot be escaped?
I found a work-around, but it's fugly:
$dom = new DOMDocument;
$dom->loadXML('"');
$xpath = new DOMXPath($dom);
function xquote ($str)
{
if (strpos($str, '"') === FALSE) {
return '"'.$str.'"';
}
if (strpos($str, "'") === FALSE) {
return "'".$str."'";
}
$parts = preg_split('/(")/', $str, 0,
PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY);
array_walk($parts,
function (&$val) {
if ($val == '"') $val = "'\"'";
else $val = '"'.$val.'"';
}
);
return 'concat('.implode(',', $parts).')';
}
$q = sprintf('/test[text()=%s]', xquote('"'));
if ($xpath->evaluate($q)->item(0)) {
echo 'found'; // works!
} else {
echo 'not found';
}
Test script:
---
$dom = new DOMDocument;
$dom->loadXML('"');
$xpath = new DOMXPath($dom);
$q = '/test[text()="""]';
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
$q = '/test[text()="\\""]';
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
Expected result:
found
found
Actual result:
--
not found
Warning: DOMXPath::evaluate(): Invalid predicate...
Warning: DOMXPath::evaluate(): Invalid expression...
Fatal error: Call to a member function item() on non-object...
--
Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1
Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1
ID: 51785
Updated by: rricha...@php.net
Reported by: pecoes at gmail dot com
Summary: No way to escape quotes for XPath
Status: Bogus
Type: Bug
Package: *XML functions
Operating System: WinXP
PHP Version: 5.3.2
Assigned To: rrichards
New Comment:
Jeez. Learn to properly escape strings then. I even gave you the proper
code for
your test to work. Its not a PHP bug nor a libxml2 bug so it's bogus.
Regardless
of the language you use you will hit escaping issues. If you really
think its a
bug somewhere you need to take it to the W3C.
Previous Comments:
[2010-06-18 16:33:42] pecoes at gmail dot com
Alright. It's not a PHP bug. So... what now? How do I deal with it in
PHP? Just because PHP is innocent, doesn't mean there's no need for a
fix. It's still a bug! Classifying it as "bogus" won't do a thing.
[2010-06-18 16:22:05] rricha...@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
You need to take into account PHP string escaping too.
$q = "/test[text()='\"']";
For more complex situations with mixed quote types, its a general
overall issue
with XPath not a PHP bug.
[2010-05-10 18:43:43] pecoes at gmail dot com
Description:
There seems to be no way to escape single or double quotes for
XPath-Queries.
given: "
/test[text()="\""] produces an error message
/test[text()="\\""] dito
/test[text()="""] finds no match
This is not a PHP-Bug, I suppose. It may be a bug in the libxml2. It
might even be a bug in the XPath Spec itself. But regardless of where
the blame lies: This is serious! How is one supposed to use user-input
in an XPath, if it cannot be escaped?
I found a work-around, but it's fugly:
$dom = new DOMDocument;
$dom->loadXML('"');
$xpath = new DOMXPath($dom);
function xquote ($str)
{
if (strpos($str, '"') === FALSE) {
return '"'.$str.'"';
}
if (strpos($str, "'") === FALSE) {
return "'".$str."'";
}
$parts = preg_split('/(")/', $str, 0,
PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY);
array_walk($parts,
function (&$val) {
if ($val == '"') $val = "'\"'";
else $val = '"'.$val.'"';
}
);
return 'concat('.implode(',', $parts).')';
}
$q = sprintf('/test[text()=%s]', xquote('"'));
if ($xpath->evaluate($q)->item(0)) {
echo 'found'; // works!
} else {
echo 'not found';
}
Test script:
---
$dom = new DOMDocument;
$dom->loadXML('"');
$xpath = new DOMXPath($dom);
$q = '/test[text()="""]';
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
$q = '/test[text()="\\""]';
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
Expected result:
found
found
Actual result:
--
not found
Warning: DOMXPath::evaluate(): Invalid predicate...
Warning: DOMXPath::evaluate(): Invalid expression...
Fatal error: Call to a member function item() on non-object...
--
Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1
Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1
ID: 51785
User updated by: pecoes at gmail dot com
Reported by: pecoes at gmail dot com
Summary: No way to escape quotes for XPath
Status: Bogus
Type: Bug
Package: *XML functions
Operating System: WinXP
PHP Version: 5.3.2
Assigned To: rrichards
New Comment:
Alright. It's not a PHP bug. So... what now? How do I deal with it in
PHP? Just because PHP is innocent, doesn't mean there's no need for a
fix. It's still a bug! Classifying it as "bogus" won't do a thing.
Previous Comments:
[2010-06-18 16:22:05] rricha...@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
You need to take into account PHP string escaping too.
$q = "/test[text()='\"']";
For more complex situations with mixed quote types, its a general
overall issue
with XPath not a PHP bug.
[2010-05-10 18:43:43] pecoes at gmail dot com
Description:
There seems to be no way to escape single or double quotes for
XPath-Queries.
given: "
/test[text()="\""] produces an error message
/test[text()="\\""] dito
/test[text()="""] finds no match
This is not a PHP-Bug, I suppose. It may be a bug in the libxml2. It
might even be a bug in the XPath Spec itself. But regardless of where
the blame lies: This is serious! How is one supposed to use user-input
in an XPath, if it cannot be escaped?
I found a work-around, but it's fugly:
$dom = new DOMDocument;
$dom->loadXML('"');
$xpath = new DOMXPath($dom);
function xquote ($str)
{
if (strpos($str, '"') === FALSE) {
return '"'.$str.'"';
}
if (strpos($str, "'") === FALSE) {
return "'".$str."'";
}
$parts = preg_split('/(")/', $str, 0,
PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY);
array_walk($parts,
function (&$val) {
if ($val == '"') $val = "'\"'";
else $val = '"'.$val.'"';
}
);
return 'concat('.implode(',', $parts).')';
}
$q = sprintf('/test[text()=%s]', xquote('"'));
if ($xpath->evaluate($q)->item(0)) {
echo 'found'; // works!
} else {
echo 'not found';
}
Test script:
---
$dom = new DOMDocument;
$dom->loadXML('"');
$xpath = new DOMXPath($dom);
$q = '/test[text()="""]';
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
$q = '/test[text()="\\""]';
if ($xpath->evaluate($q)->item(0)) {
echo "found\r\n";
} else {
echo "not found\r\n";
}
Expected result:
found
found
Actual result:
--
not found
Warning: DOMXPath::evaluate(): Invalid predicate...
Warning: DOMXPath::evaluate(): Invalid expression...
Fatal error: Call to a member function item() on non-object...
--
Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1
