You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by rv...@apache.org on 2013/04/10 01:37:49 UTC
svn commit: r1466290 -
/jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java
Author: rvesse
Date: Tue Apr 9 23:37:48 2013
New Revision: 1466290
URL: http://svn.apache.org/r1466290
Log:
Make sure everything flows through our stringToNode() method in ParameterizedSparqlString, only escape ' if the node is a literal since otherwise it is safe
Modified:
jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java
Modified: jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java?rev=1466290&r1=1466289&r2=1466290&view=diff
==============================================================================
--- jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java (original)
+++ jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java Tue Apr 9 23:37:48 2013
@@ -428,7 +428,7 @@ public class ParameterizedSparqlString i
public void appendNode(Node n) {
SerializationContext context = new SerializationContext(this.prefixes);
context.setBaseIRI(this.baseUri);
- this.cmd.append(FmtUtils.stringForNode(n, context));
+ this.cmd.append(this.stringForNode(n, context));
}
/**
@@ -450,7 +450,7 @@ public class ParameterizedSparqlString i
* URI to append
*/
public void appendIri(String uri) {
- this.cmd.append(FmtUtils.stringForURI(uri));
+ this.appendNode(NodeFactory.createURI(uri));
}
/**
@@ -461,7 +461,7 @@ public class ParameterizedSparqlString i
* IRI to append
*/
public void appendIri(IRI iri) {
- this.appendIri(iri.toString());
+ this.appendNode(NodeFactory.createURI(iri.toString()));
}
/**
@@ -1220,7 +1220,7 @@ public class ParameterizedSparqlString i
protected final String stringForNode(Node n, SerializationContext context) {
String str = FmtUtils.stringForNode(n, context);
- if (str.contains("'")) {
+ if (n.isLiteral() && str.contains("'")) {
// Should escape ' to avoid a possible injection vulnerability
str = str.replace("'", "\\'");
}
@@ -1452,10 +1452,18 @@ public class ParameterizedSparqlString i
return this.prefixes.samePrefixMappingAs(other);
}
+ /**
+ * Represents information about delimiters in a string
+ *
+ */
private class DelimiterInfo {
private List<Pair<Integer, String>> starts = new ArrayList<Pair<Integer, String>>();
private Map<Integer, Integer> stops = new HashMap<Integer, Integer>();
+ /**
+ * Parse delimiters from a string, discards any previously parsed information
+ * @param command Command string
+ */
public void parseFrom(String command) {
this.starts.clear();
this.stops.clear();
@@ -1602,6 +1610,7 @@ public class ParameterizedSparqlString i
}
}
+ @SuppressWarnings("unused")
public boolean isInsideAltLiteral(int start, int stop) {
Pair<Integer, String> pair = this.findBefore(start);
if (pair == null)
@@ -1617,6 +1626,7 @@ public class ParameterizedSparqlString i
}
}
+ @SuppressWarnings("unused")
public boolean isBetweenLiterals(int start, int stop) {
Pair<Integer, String> pairBefore = this.findBefore(start);
if (pairBefore == null)