如何从DOM XPath查询中转义所有无效字符？ [英] How to escape all invalid characters from DOM XPath Query?

问题描述

我有以下函数可以在 HTML DOM 中查找值；

I have the following function that finds values within a HTML DOM;

它可以工作，但是当我给参数 $ value 像这样： Levi's Baby Baby，
会破解，因为它不能逃脱，和'chars

It works, but when i give parameter $value like: Levi's Baby Overall, it cracks, because it does not escape the , and ' chars

如何从DOM XPath查询中转义所有无效字符？

How to escape all invalid characters from DOM XPath Query?

private function extract($file,$url,$value) {
    $result = array();
    $i = 0;
    $dom = new DOMDocument();
    @$dom->loadHTMLFile($file);
    //use DOMXpath to navigate the html with the DOM
    $dom_xpath = new DOMXpath($dom);
    $elements = $dom_xpath->query("//*[text()[contains(., '" . $value . "')]]");
    if (!is_null($elements)) {
        foreach ($elements as $element) {
            $nodes = $element->childNodes;
            foreach ($nodes as $node) {
                if (($node->nodeValue != null) && ($node->nodeValue === $value)) {
                    $xpath = preg_replace("/\/text\(\)/", "", $node->getNodePath());
                    $result[$i]['url'] = $url;
                    $result[$i]['value'] = $node->nodeValue;
                    $result[$i]['xpath'] = $xpath;
                    $i++;
                }
            }
        }
    }
    return $result;
}

推荐答案

一个不应该替换占位符在XPath表达式中包含由用户提供的任意字符串-因为存在（恶意）XPath注入的风险。

One shouldn't substitute placeholders in an XPath expression with arbitrary, user-provided strings -- because of the risk of (malicious) XPath injection.

为了安全处理此类未知字符串，解决方案是使用预编译的XPath表达式，并将用户提供的字符串作为变量传递给它。这也完全消除了处理代码中嵌套引号的需要。

To deal safely with such unknown strings, the solution is to use a pre-compiled XPath expression and to pass the user-provided string as a variable to it. This also completely eliminates the need to deal with nested quotes in the code.

这篇关于如何从DOM XPath查询中转义所有无效字符？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！