Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1 ID: 51785 User updated by: pecoes at gmail dot com Reported by: pecoes at gmail dot com Summary: No way to escape quotes for XPath Status: Bogus Type: Bug Package: *XML functions Operating System: WinXP PHP Version: 5.3.2 Assigned To: rrichards New Comment: Nice! Your work-around is certainly better than mine. :) It's still a work-around, though. :( XPath variables would certainly be useful. My suggestion would have been to take unilateral action and improve the XPath standard by intoducing escape-sequences: \' \" and \\ I realize that amending a standard isn't exactly elegant, but it certainly would make things easy on the PHP-side of things. Simply treat your input with addslashes and you're good. From a user-perspective that would be the most desirable solution, I suppose. Previous Comments: [2010-06-18 18:08:45] rricha...@php.net simplest way is to use php functions for comparison, like compare htmlspecialchars escaped strings: $dom = new DOMDocument; $domstr = "double quote: \", single quote: '"; $dom->loadXML($domstr); $xpath = new DOMXPath($dom); $xpath->registerNamespace("php", "http://php.net/xpath";); $xpath->registerPHPFunctions(); $check_string = htmlspecialchars("double quote: \", single quote: '", ENT_QUOTES ); $q = "/test[php:functionString('htmlspecialchars', ., 3) = '$check_string']"; echo $q."\n"; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } There is no current plan to support XPath 2.0 although possibility of supporting xpath variables in a future PHP version [2010-06-18 17:05:34] pecoes at gmail dot com We seem to misunderstand each other... As long as there's only one type of quote - single or double - there's no problem, but how do I escape a string with mixed quotes? How do I quote that, so that the XPath-engine won't reject it? [2010-06-18 16:50:06] rricha...@php.net Jeez. Learn to properly escape strings then. I even gave you the proper code for your test to work. Its not a PHP bug nor a libxml2 bug so it's bogus. Regardless of the language you use you will hit escaping issues. If you really think its a bug somewhere you need to take it to the W3C. [2010-06-18 16:33:42] pecoes at gmail dot com Alright. It's not a PHP bug. So... what now? How do I deal with it in PHP? Just because PHP is innocent, doesn't mean there's no need for a fix. It's still a bug! Classifying it as "bogus" won't do a thing. [2010-06-18 16:22:05] rricha...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php You need to take into account PHP string escaping too. $q = "/test[text()='\"']"; For more complex situations with mixed quote types, its a general overall issue with XPath not a PHP bug. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=51785 -- Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1
Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1 ID: 51785 Updated by: rricha...@php.net Reported by: pecoes at gmail dot com Summary: No way to escape quotes for XPath Status: Bogus Type: Bug Package: *XML functions Operating System: WinXP PHP Version: 5.3.2 Assigned To: rrichards New Comment: simplest way is to use php functions for comparison, like compare htmlspecialchars escaped strings: $dom = new DOMDocument; $domstr = "double quote: \", single quote: '"; $dom->loadXML($domstr); $xpath = new DOMXPath($dom); $xpath->registerNamespace("php", "http://php.net/xpath";); $xpath->registerPHPFunctions(); $check_string = htmlspecialchars("double quote: \", single quote: '", ENT_QUOTES ); $q = "/test[php:functionString('htmlspecialchars', ., 3) = '$check_string']"; echo $q."\n"; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } There is no current plan to support XPath 2.0 although possibility of supporting xpath variables in a future PHP version Previous Comments: [2010-06-18 17:05:34] pecoes at gmail dot com We seem to misunderstand each other... As long as there's only one type of quote - single or double - there's no problem, but how do I escape a string with mixed quotes? How do I quote that, so that the XPath-engine won't reject it? [2010-06-18 16:50:06] rricha...@php.net Jeez. Learn to properly escape strings then. I even gave you the proper code for your test to work. Its not a PHP bug nor a libxml2 bug so it's bogus. Regardless of the language you use you will hit escaping issues. If you really think its a bug somewhere you need to take it to the W3C. [2010-06-18 16:33:42] pecoes at gmail dot com Alright. It's not a PHP bug. So... what now? How do I deal with it in PHP? Just because PHP is innocent, doesn't mean there's no need for a fix. It's still a bug! Classifying it as "bogus" won't do a thing. [2010-06-18 16:22:05] rricha...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php You need to take into account PHP string escaping too. $q = "/test[text()='\"']"; For more complex situations with mixed quote types, its a general overall issue with XPath not a PHP bug. [2010-05-10 18:43:43] pecoes at gmail dot com Description: There seems to be no way to escape single or double quotes for XPath-Queries. given: " /test[text()="\""] produces an error message /test[text()="\\""] dito /test[text()="""] finds no match This is not a PHP-Bug, I suppose. It may be a bug in the libxml2. It might even be a bug in the XPath Spec itself. But regardless of where the blame lies: This is serious! How is one supposed to use user-input in an XPath, if it cannot be escaped? I found a work-around, but it's fugly: $dom = new DOMDocument; $dom->loadXML('"'); $xpath = new DOMXPath($dom); function xquote ($str) { if (strpos($str, '"') === FALSE) { return '"'.$str.'"'; } if (strpos($str, "'") === FALSE) { return "'".$str."'"; } $parts = preg_split('/(")/', $str, 0, PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY); array_walk($parts, function (&$val) { if ($val == '"') $val = "'\"'"; else $val = '"'.$val.'"'; } ); return 'concat('.implode(',', $parts).')'; } $q = sprintf('/test[text()=%s]', xquote('"')); if ($xpath->evaluate($q)->item(0)) { echo 'found'; // works! } else { echo 'not found'; } Test script: --- $dom = new DOMDocument; $dom->loadXML('"'); $xpath = new DOMXPath($dom); $q = '/test[text()="""]'; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } $q = '/test[text()="\\""]'; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } Expected result: found found Actual result: -- not found Warning: DOMXPath::evaluate(): Invalid predicate... Warning: DOMXPath::evaluate(): Invalid expression... Fatal error: Call to a member function item() on non-object... -- Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1
Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1 ID: 51785 User updated by: pecoes at gmail dot com Reported by: pecoes at gmail dot com Summary: No way to escape quotes for XPath Status: Bogus Type: Bug Package: *XML functions Operating System: WinXP PHP Version: 5.3.2 Assigned To: rrichards New Comment: We seem to misunderstand each other... As long as there's only one type of quote - single or double - there's no problem, but how do I escape a string with mixed quotes? How do I quote that, so that the XPath-engine won't reject it? Previous Comments: [2010-06-18 16:50:06] rricha...@php.net Jeez. Learn to properly escape strings then. I even gave you the proper code for your test to work. Its not a PHP bug nor a libxml2 bug so it's bogus. Regardless of the language you use you will hit escaping issues. If you really think its a bug somewhere you need to take it to the W3C. [2010-06-18 16:33:42] pecoes at gmail dot com Alright. It's not a PHP bug. So... what now? How do I deal with it in PHP? Just because PHP is innocent, doesn't mean there's no need for a fix. It's still a bug! Classifying it as "bogus" won't do a thing. [2010-06-18 16:22:05] rricha...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php You need to take into account PHP string escaping too. $q = "/test[text()='\"']"; For more complex situations with mixed quote types, its a general overall issue with XPath not a PHP bug. [2010-05-10 18:43:43] pecoes at gmail dot com Description: There seems to be no way to escape single or double quotes for XPath-Queries. given: " /test[text()="\""] produces an error message /test[text()="\\""] dito /test[text()="""] finds no match This is not a PHP-Bug, I suppose. It may be a bug in the libxml2. It might even be a bug in the XPath Spec itself. But regardless of where the blame lies: This is serious! How is one supposed to use user-input in an XPath, if it cannot be escaped? I found a work-around, but it's fugly: $dom = new DOMDocument; $dom->loadXML('"'); $xpath = new DOMXPath($dom); function xquote ($str) { if (strpos($str, '"') === FALSE) { return '"'.$str.'"'; } if (strpos($str, "'") === FALSE) { return "'".$str."'"; } $parts = preg_split('/(")/', $str, 0, PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY); array_walk($parts, function (&$val) { if ($val == '"') $val = "'\"'"; else $val = '"'.$val.'"'; } ); return 'concat('.implode(',', $parts).')'; } $q = sprintf('/test[text()=%s]', xquote('"')); if ($xpath->evaluate($q)->item(0)) { echo 'found'; // works! } else { echo 'not found'; } Test script: --- $dom = new DOMDocument; $dom->loadXML('"'); $xpath = new DOMXPath($dom); $q = '/test[text()="""]'; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } $q = '/test[text()="\\""]'; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } Expected result: found found Actual result: -- not found Warning: DOMXPath::evaluate(): Invalid predicate... Warning: DOMXPath::evaluate(): Invalid expression... Fatal error: Call to a member function item() on non-object... -- Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1
Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1 ID: 51785 Updated by: rricha...@php.net Reported by: pecoes at gmail dot com Summary: No way to escape quotes for XPath Status: Bogus Type: Bug Package: *XML functions Operating System: WinXP PHP Version: 5.3.2 Assigned To: rrichards New Comment: Jeez. Learn to properly escape strings then. I even gave you the proper code for your test to work. Its not a PHP bug nor a libxml2 bug so it's bogus. Regardless of the language you use you will hit escaping issues. If you really think its a bug somewhere you need to take it to the W3C. Previous Comments: [2010-06-18 16:33:42] pecoes at gmail dot com Alright. It's not a PHP bug. So... what now? How do I deal with it in PHP? Just because PHP is innocent, doesn't mean there's no need for a fix. It's still a bug! Classifying it as "bogus" won't do a thing. [2010-06-18 16:22:05] rricha...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php You need to take into account PHP string escaping too. $q = "/test[text()='\"']"; For more complex situations with mixed quote types, its a general overall issue with XPath not a PHP bug. [2010-05-10 18:43:43] pecoes at gmail dot com Description: There seems to be no way to escape single or double quotes for XPath-Queries. given: " /test[text()="\""] produces an error message /test[text()="\\""] dito /test[text()="""] finds no match This is not a PHP-Bug, I suppose. It may be a bug in the libxml2. It might even be a bug in the XPath Spec itself. But regardless of where the blame lies: This is serious! How is one supposed to use user-input in an XPath, if it cannot be escaped? I found a work-around, but it's fugly: $dom = new DOMDocument; $dom->loadXML('"'); $xpath = new DOMXPath($dom); function xquote ($str) { if (strpos($str, '"') === FALSE) { return '"'.$str.'"'; } if (strpos($str, "'") === FALSE) { return "'".$str."'"; } $parts = preg_split('/(")/', $str, 0, PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY); array_walk($parts, function (&$val) { if ($val == '"') $val = "'\"'"; else $val = '"'.$val.'"'; } ); return 'concat('.implode(',', $parts).')'; } $q = sprintf('/test[text()=%s]', xquote('"')); if ($xpath->evaluate($q)->item(0)) { echo 'found'; // works! } else { echo 'not found'; } Test script: --- $dom = new DOMDocument; $dom->loadXML('"'); $xpath = new DOMXPath($dom); $q = '/test[text()="""]'; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } $q = '/test[text()="\\""]'; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } Expected result: found found Actual result: -- not found Warning: DOMXPath::evaluate(): Invalid predicate... Warning: DOMXPath::evaluate(): Invalid expression... Fatal error: Call to a member function item() on non-object... -- Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1
Bug #51785 [Bgs]: No way to escape quotes for XPath
Edit report at http://bugs.php.net/bug.php?id=51785&edit=1 ID: 51785 User updated by: pecoes at gmail dot com Reported by: pecoes at gmail dot com Summary: No way to escape quotes for XPath Status: Bogus Type: Bug Package: *XML functions Operating System: WinXP PHP Version: 5.3.2 Assigned To: rrichards New Comment: Alright. It's not a PHP bug. So... what now? How do I deal with it in PHP? Just because PHP is innocent, doesn't mean there's no need for a fix. It's still a bug! Classifying it as "bogus" won't do a thing. Previous Comments: [2010-06-18 16:22:05] rricha...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php You need to take into account PHP string escaping too. $q = "/test[text()='\"']"; For more complex situations with mixed quote types, its a general overall issue with XPath not a PHP bug. [2010-05-10 18:43:43] pecoes at gmail dot com Description: There seems to be no way to escape single or double quotes for XPath-Queries. given: " /test[text()="\""] produces an error message /test[text()="\\""] dito /test[text()="""] finds no match This is not a PHP-Bug, I suppose. It may be a bug in the libxml2. It might even be a bug in the XPath Spec itself. But regardless of where the blame lies: This is serious! How is one supposed to use user-input in an XPath, if it cannot be escaped? I found a work-around, but it's fugly: $dom = new DOMDocument; $dom->loadXML('"'); $xpath = new DOMXPath($dom); function xquote ($str) { if (strpos($str, '"') === FALSE) { return '"'.$str.'"'; } if (strpos($str, "'") === FALSE) { return "'".$str."'"; } $parts = preg_split('/(")/', $str, 0, PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY); array_walk($parts, function (&$val) { if ($val == '"') $val = "'\"'"; else $val = '"'.$val.'"'; } ); return 'concat('.implode(',', $parts).')'; } $q = sprintf('/test[text()=%s]', xquote('"')); if ($xpath->evaluate($q)->item(0)) { echo 'found'; // works! } else { echo 'not found'; } Test script: --- $dom = new DOMDocument; $dom->loadXML('"'); $xpath = new DOMXPath($dom); $q = '/test[text()="""]'; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } $q = '/test[text()="\\""]'; if ($xpath->evaluate($q)->item(0)) { echo "found\r\n"; } else { echo "not found\r\n"; } Expected result: found found Actual result: -- not found Warning: DOMXPath::evaluate(): Invalid predicate... Warning: DOMXPath::evaluate(): Invalid expression... Fatal error: Call to a member function item() on non-object... -- Edit this bug report at http://bugs.php.net/bug.php?id=51785&edit=1