diff options
| author | Tom Lane | 2011-07-20 22:44:09 +0000 |
|---|---|---|
| committer | Tom Lane | 2011-07-20 22:44:35 +0000 |
| commit | aaf15e5c1cf8d2c27d2f9841343f00027762cb4e (patch) | |
| tree | e9661afe4c1bab76a1ad72dedcc0364787104e87 /src/backend/utils/adt/xml.c | |
| parent | 17a16eeb7c4fd0c6dce80521247a20d76706b2bb (diff) | |
Ensure that xpath() escapes special characters in string values.
Without this it's possible for the output to not be legal XML, as
illustrated by the added regression test cases.
NB: this change will need to be called out as an incompatibility in the
9.2 release notes, since it's possible somebody was relying on the old
behavior, even though it's clearly wrong.
Florian Pflug, reviewed by Radoslaw Smogura
Diffstat (limited to 'src/backend/utils/adt/xml.c')
| -rw-r--r-- | src/backend/utils/adt/xml.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/backend/utils/adt/xml.c b/src/backend/utils/adt/xml.c index 6786cd91bb..c07232575e 100644 --- a/src/backend/utils/adt/xml.c +++ b/src/backend/utils/adt/xml.c @@ -3537,7 +3537,11 @@ xml_xmlnodetoxmltype(xmlNodePtr cur) str = xmlXPathCastNodeToString(cur); PG_TRY(); { - result = (xmltype *) cstring_to_text((char *) str); + /* Here we rely on XML having the same representation as TEXT */ + char *escaped = escape_xml((char *) str); + + result = (xmltype *) cstring_to_text(escaped); + pfree(escaped); } PG_CATCH(); { |