Markus Winand <markus(dot)winand(at)winand(dot)at> writes:
> The XML output of explain potentially outputs the XML tag names "I/O-Write-Time"
> and "I/O-Read-Time", which are invalid due to the slash.
Ooops.
> Although the patch fixes the problem for the moment, it is incomplete in that
> sense that it continues to check against an incomplete black list. I guess
> this is how it slipped in: XML explain was added in 9.0, I/O timings in 9.2.
Yeah. The whitelist approach would look something like
appendStringInfoChar(es->str, strchr(XMLCHARS, *s) ? *s : '-');
which would be quite a few more cycles than just testing for ' ' and '/'.
So I'm not sure it's worth it. On the other hand, I have little faith
that we wouldn't make a similar mistake in future.
regards, tom lane