Safe XPath $variable binding.

[kbloom]

Please add support for binding $variables in XPath expressions. This behavior can be used to prevent XPath injection attacks. This is similar to REXML's XPath.first( node, "//*[@id=$href]", nil, {"href"=>"linktohere"}). This is implemented in the libxml API using the xmlXPathRegisterVariable function.

[kbloom]

I now have (untested) patches for Java and libxml support for this feature at http://github.com/kbloom/nokogiri. I don't know what's the best way to implement this into Node#xpath yet, and I'm still trying figure out how to build new gems with these patches on my Debian system.

[tenderlove]

adding XPath bind parameter substitution. closed by d5cddbd

[kbloom]

Thank you for merging this.

[flavorjones]

I've tried to document this functionality in 95240c4. Shrugs.

[kbloom]

The documentation looks pretty good. Life would be easier if the #xpath interface wasn't so flexible in the first place. I'd add another example that demonstrates how to use both namespaces and variables at the same time, just to make it totally clear what's happening:

node.xpath('.//foo:address[@domestic=$value]',
      {'foo' => 'http://www.example.org/'},
      {:value => 'Yes'})