Hello,

How to write secure queries when the queried text nodes contain ampersands? For instance:


declare variable $publisher external; (: $pub == 'Faber & Faber' :)
declare variable $db := db:open('db');

let $records := $db/record/publisher[. = $publisher]  (: publisher == 'Faber & Faber' :)


The external variable is unsafe input, escaped by the sending application.
Escaping the ampersand in the external variable with & (& a m p ;) doesn't work, Basex stops finding hits. Just letting the ampersand pass might expose the code to injection attacks? I could switch to a full-text query and remove the ampersand from the external variable, but that's a bit hackish. The expression is exact.

How to proceed in a secure way?