Special Character in XPATH Query

This is surprisingly difficult to do.

Take a look at the XPath Recommendation, and you'll see that it defines a literal as:

Literal ::=   '"' [^"]* '"'             | "'" [^']* "'"

Which is to say, string literals in XPath expressions can contain apostrophes or double quotes but not both.

You can't use escaping to get around this. A literal like this:

'Some'Value'

will match this XML text:

Some'Value

This does mean that it's possible for there to be a piece of XML text that you can't generate an XPath literal to match, e.g.:

<elm att=""&apos"/>

But that doesn't mean it's impossible to match that text with XPath, it's just tricky. In any case where the value you're trying to match contains both single and double quotes, you can construct an expression that uses concat to produce the text that it's going to match:

elm[@att=concat('"', "'")]

So that leads us to this, which is a lot more complicated than I'd like it to be:

/// <summary>/// Produce an XPath literal equal to the value if possible; if not, produce/// an XPath expression that will match the value./// /// Note that this function will produce very long XPath expressions if a value/// contains a long run of double quotes./// </summary>/// <param name="value">The value to match.</param>/// <returns>If the value contains only single or double quotes, an XPath/// literal equal to the value.  If it contains both, an XPath expression,/// using concat(), that evaluates to the value.</returns>static string XPathLiteral(string value){    // if the value contains only single or double quotes, construct    // an XPath literal    if (!value.Contains("\""))    {        return "\"" + value + "\"";    }    if (!value.Contains("'"))    {        return "'" + value + "'";    }    // if the value contains both single and double quotes, construct an    // expression that concatenates all non-double-quote substrings with    // the quotes, e.g.:    //    //    concat("foo", '"', "bar")    StringBuilder sb = new StringBuilder();    sb.Append("concat(");    string[] substrings = value.Split('\"');    for (int i = 0; i < substrings.Length; i++ )    {        bool needComma = (i>0);        if (substrings[i] != "")        {            if (i > 0)            {                sb.Append(", ");            }            sb.Append("\"");            sb.Append(substrings[i]);            sb.Append("\"");            needComma = true;        }        if (i < substrings.Length - 1)        {            if (needComma)            {                sb.Append(", ");                                }            sb.Append("'\"'");        }    }    sb.Append(")");    return sb.ToString();}

And yes, I tested it with all the edge cases. That's why the logic is so stupidly complex:

    foreach (string s in new[]    {        "foo",              // no quotes        "\"foo",            // double quotes only        "'foo",             // single quotes only        "'foo\"bar",        // both; double quotes in mid-string        "'foo\"bar\"baz",   // multiple double quotes in mid-string        "'foo\"",           // string ends with double quotes        "'foo\"\"",         // string ends with run of double quotes        "\"'foo",           // string begins with double quotes        "\"\"'foo",         // string begins with run of double quotes        "'foo\"\"bar"       // run of double quotes in mid-string    })    {        Console.Write(s);        Console.Write(" = ");        Console.WriteLine(XPathLiteral(s));        XmlElement elm = d.CreateElement("test");        d.DocumentElement.AppendChild(elm);        elm.SetAttribute("value", s);        string xpath = "/root/test[@value = " + XPathLiteral(s) + "]";        if (d.SelectSingleNode(xpath) == elm)        {            Console.WriteLine("OK");        }        else        {            Console.WriteLine("Should have found a match for {0}, and didn't.", s);        }    }    Console.ReadKey();}

EDIT: After a heavy unit testing session, and checking the XPath Standards, I have revised my function as follows:

public static string ToXPath(string value) {    const string apostrophe = "'";    const string quote = "\"";    if(value.Contains(quote)) {        if(value.Contains(apostrophe)) {            throw new XPathException("Illegal XPath string literal.");        } else {            return apostrophe + value + apostrophe;        }    } else {        return quote + value + quote;    }}

It appears that XPath doesn't have a character escaping system at all, it's quite primitive really. Evidently my original code only worked by coincidence. My apologies for misleading anyone!

Original answer below for reference only - please ignore

For safety, make sure that any occurrence of all 5 predefined XML entities in your XPath string are escaped, e.g.

public static string ToXPath(string value) {    return "'" + XmlEncode(value) + "'";}public static string XmlEncode(string value) {    StringBuilder text = new StringBuilder(value);    text.Replace("&", "&");    text.Replace("'", "&apos;");    text.Replace(@"""", """);    text.Replace("<", "<");    text.Replace(">", ">");    return text.ToString();}

I have done this before and it works fine. If it doesn't work for you, maybe there is some additional context to the problem that you need to make us aware of.

I ported Robert's answer to Java (tested in 1.6):

/// <summary>/// Produce an XPath literal equal to the value if possible; if not, produce/// an XPath expression that will match the value.////// Note that this function will produce very long XPath expressions if a value/// contains a long run of double quotes./// </summary>/// <param name="value">The value to match.</param>/// <returns>If the value contains only single or double quotes, an XPath/// literal equal to the value.  If it contains both, an XPath expression,/// using concat(), that evaluates to the value.</returns>public static String XPathLiteral(String value) {    if(!value.contains("\"") && !value.contains("'")) {        return "'" + value + "'";    }    // if the value contains only single or double quotes, construct    // an XPath literal    if (!value.contains("\"")) {        System.out.println("Doesn't contain Quotes");        String s = "\"" + value + "\"";        System.out.println(s);        return s;    }    if (!value.contains("'")) {        System.out.println("Doesn't contain apostophes");        String s =  "'" + value + "'";        System.out.println(s);        return s;    }    // if the value contains both single and double quotes, construct an    // expression that concatenates all non-double-quote substrings with    // the quotes, e.g.:    //    //    concat("foo", '"', "bar")    StringBuilder sb = new StringBuilder();    sb.append("concat(");    String[] substrings = value.split("\"");    for (int i = 0; i < substrings.length; i++) {        boolean needComma = (i > 0);        if (!substrings[i].equals("")) {            if (i > 0) {                sb.append(", ");            }            sb.append("\"");            sb.append(substrings[i]);            sb.append("\"");            needComma = true;        }        if (i < substrings.length - 1) {            if (needComma) {                sb.append(", ");            }            sb.append("'\"'");        }        System.out.println("Step " + i + ": " + sb.toString());    }    //This stuff is because Java is being stupid about splitting strings    if(value.endsWith("\"")) {        sb.append(", '\"'");    }    //The code works if the string ends in a apos    /*else if(value.endsWith("'")) {        sb.append(", \"'\"");    }*/    sb.append(")");    String s = sb.toString();    System.out.println(s);    return s;}

Hope this helps somebody!