From aaf15e5c1cf8d2c27d2f9841343f00027762cb4e Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Wed, 20 Jul 2011 18:44:09 -0400 Subject: Ensure that xpath() escapes special characters in string values. Without this it's possible for the output to not be legal XML, as illustrated by the added regression test cases. NB: this change will need to be called out as an incompatibility in the 9.2 release notes, since it's possible somebody was relying on the old behavior, even though it's clearly wrong. Florian Pflug, reviewed by Radoslaw Smogura --- src/backend/utils/adt/xml.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src/backend/utils/adt/xml.c') diff --git a/src/backend/utils/adt/xml.c b/src/backend/utils/adt/xml.c index 6786cd91bb5..c07232575e2 100644 --- a/src/backend/utils/adt/xml.c +++ b/src/backend/utils/adt/xml.c @@ -3537,7 +3537,11 @@ xml_xmlnodetoxmltype(xmlNodePtr cur) str = xmlXPathCastNodeToString(cur); PG_TRY(); { - result = (xmltype *) cstring_to_text((char *) str); + /* Here we rely on XML having the same representation as TEXT */ + char *escaped = escape_xml((char *) str); + + result = (xmltype *) cstring_to_text(escaped); + pfree(escaped); } PG_CATCH(); { -- cgit v1.2.3