JQuery Plugins: Callbacks and Now Triggers | Home | Resizing Your Windows XP Boot Partition in Parallels

Filed under Quick Tips on April 15, 2008 by Joel Potischman

Parameterized XPath Expressions in .NET

Escaping parameters in an XPath expression in .NET is hard. Quick, which of the following is right?

// assume searchValue is: Conan "Mad Dog" O'Brien lateNightHosts.SelectSingleNode(string.Format("user[@name = '{0}'] | user[. = '{0}']", searchValue)); lateNightHosts.SelectSingleNode(string.Format("user[@name = '{0}'] | user[. = '{0}']", searchValue.Replace("'", "\'").Replace("\"", "\"\""))); lateNightHosts.SelectSingleNode(string.Format("user[@name = '{0}'] | user[. = '{0}']", System.Xml.XmlConvert.EncodeName(searchValue))); lateNightHosts.SelectSingleNode(string.Format("user[@name = '{0}'] | user[. = '{0}']", System.Xml.XmlConvert.EncodeNmToken(searchValue))); Beats the hell out of me. Maybe one works, but I'm guessing not, and I'd assume a weird search term like Hello >:-< "How're you?" would blow me up. Fortunately, I found the wonderful Mvp.Xml .NET library, which will handle the tough work of escaping for me by letting me parameterize my XPath expressions, thereby protecting me from blowups and XPath injection attacks, like a search for '|@superuser='true. I can rewrite that search as follows:

using Mvp.Xml.Common.XPath; XPathCache.SelectSingleNode("user[@name=$hostname] | user[.=$hostname]", lateNightHosts, new XPathVariable("hostname", searchValue));

How nice is that?

Post a Comment Digg Del.icio.us

Post a Comment:

Name:

Email Address:

URL:

Comment:

JQuery Plugins: Callbacks and Now Triggers | Main | Resizing Your Windows XP Boot Partition in Parallels