Grex should be able to handle bound parameters
The Gremlin extension API allows for parameters to be sent as a map bound to the script engine (see https://github.com/tinkerpop/rexster/wiki/Gremlin-Extension#gremlin-extension-api).
Grex currently does not support bound parameters, making it vulnerable to Gremlin-injection vulnerabilities (just like SQL-injections).
This issue should be addressed as soon as possible, though it may require a bit more refactoring regarding the way arguments are currently handled.
Thoughts welcome!
This has been partially added in the develop branch. Bound parameters are supported when using the string formatted version of query(). See README.md in the develop branch.
Further changes/improvements on this topic (ie. bound parameters with gRex helpers) will be reflected in this discussion.