avernet · December 28, 2010 00:29
diff --git a/20101227-xquery-injection.xhtml b/20101227-xquery-injection.xhtml
 <xhtml:html xmlns:xhtml="http://www.w3.org/1999/xhtml"
      xmlns:xforms="http://www.w3.org/2002/xforms"
      xmlns:ev="http://www.w3.org/2001/xml-events"
      xmlns:fr="http://orbeon.org/oxf/xml/form-runner"
      xmlns:exist="http://exist.sourceforge.net/NS/exist">
    <xhtml:head>
        <xhtml:title>Preventing XQuery Injections</xhtml:title>
        <xforms:model>
            <xforms:instance id="form">
                <instance>
                    <name/>
                </instance>
            </xforms:instance>
            <xforms:instance id="request">
                <exist:query>
                    <exist:text>
                        declare namespace request="http://exist-db.org/xquery/request";
                        concat('Hello ', request:get-parameter('name', ''), '!')
                    </exist:text>
                </exist:query>
            </xforms:instance>
            <xforms:instance id="response"><exist:result/></xforms:instance>
            <xforms:submission id="run-query" method="post" resource="/exist/rest?name={encode-for-uri(instance('form')/name)}"
                               ref="instance('request')" replace="instance" instance="response"/>
        </xforms:model>
    </xhtml:head>
    <xhtml:body>
        <xforms:input ref="name">
            <xforms:label>Your name</xforms:label>
        </xforms:input>
        <fr:button>
            <xforms:label>Run query</xforms:label>
            <xforms:send ev:event="DOMActivate" submission="run-query"/>
        </fr:button>
        <xforms:output ref="instance('response')/exist:value"/>
    </xhtml:body>
 </xhtml:html>
	<xhtml:html xmlns:xhtml="http://www.w3.org/1999/xhtml"
	xmlns:xforms="http://www.w3.org/2002/xforms"
	xmlns:ev="http://www.w3.org/2001/xml-events"
	xmlns:fr="http://orbeon.org/oxf/xml/form-runner"
	xmlns:exist="http://exist.sourceforge.net/NS/exist">
	<xhtml:head>
	<xhtml:title>Preventing XQuery Injections</xhtml:title>
	<xforms:model>
	<xforms:instance id="form">
	<instance>
	<name/>
	</instance>
	</xforms:instance>
	<xforms:instance id="request">
	<exist:query>
	<exist:text>
	declare namespace request="http://exist-db.org/xquery/request";
	concat('Hello ', request:get-parameter('name', ''), '!')
	</exist:text>
	</exist:query>
	</xforms:instance>
	<xforms:instance id="response"><exist:result/></xforms:instance>
	<xforms:submission id="run-query" method="post" resource="/exist/rest?name={encode-for-uri(instance('form')/name)}"
	ref="instance('request')" replace="instance" instance="response"/>
	</xforms:model>
	</xhtml:head>
	<xhtml:body>
	<xforms:input ref="name">
	<xforms:label>Your name</xforms:label>
	</xforms:input>
	<fr:button>
	<xforms:label>Run query</xforms:label>
	<xforms:send ev:event="DOMActivate" submission="run-query"/>
	</fr:button>
	<xforms:output ref="instance('response')/exist:value"/>
	</xhtml:body>
	</xhtml:html>