如何从DOM XPath查询中转义所有无效字符? [英] How to escape all invalid characters from DOM XPath Query?
问题描述
我有以下函数可以在 HTML DOM
中查找值;
I have the following function that finds values within a HTML DOM
;
它可以工作,但是当我给参数 $ value
像这样: Levi's Baby Baby,
会破解,因为它不能逃脱,和'chars
It works, but when i give parameter $value
like: Levi's Baby Overall,
it cracks, because it does not escape the , and ' chars
如何从DOM XPath查询中转义所有无效字符?
How to escape all invalid characters from DOM XPath Query?
private function extract($file,$url,$value) {
$result = array();
$i = 0;
$dom = new DOMDocument();
@$dom->loadHTMLFile($file);
//use DOMXpath to navigate the html with the DOM
$dom_xpath = new DOMXpath($dom);
$elements = $dom_xpath->query("//*[text()[contains(., '" . $value . "')]]");
if (!is_null($elements)) {
foreach ($elements as $element) {
$nodes = $element->childNodes;
foreach ($nodes as $node) {
if (($node->nodeValue != null) && ($node->nodeValue === $value)) {
$xpath = preg_replace("/\/text\(\)/", "", $node->getNodePath());
$result[$i]['url'] = $url;
$result[$i]['value'] = $node->nodeValue;
$result[$i]['xpath'] = $xpath;
$i++;
}
}
}
}
return $result;
}
推荐答案
一个不应该替换占位符在XPath表达式中包含由用户提供的任意字符串-因为存在(恶意)XPath注入的风险。
One shouldn't substitute placeholders in an XPath expression with arbitrary, user-provided strings -- because of the risk of (malicious) XPath injection.
为了安全处理此类未知字符串,解决方案是使用预编译的XPath表达式,并将用户提供的字符串作为变量传递给它。这也完全消除了处理代码中嵌套引号的需要。
To deal safely with such unknown strings, the solution is to use a pre-compiled XPath expression and to pass the user-provided string as a variable to it. This also completely eliminates the need to deal with nested quotes in the code.
这篇关于如何从DOM XPath查询中转义所有无效字符?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!