Subject: Re: [xsl] XSL Injection, is it possible? From: "Dimitre Novatchev" <dnovatchev@xxxxxxxxx> Date: Tue, 30 May 2006 12:13:03 -0700 |
-- Cheers, Dimitre Novatchev --------------------------------------- Truly great madness cannot be achieved without significant intelligence.
On May 30, 2006, at 5:13 PM, Dimitre Novatchev wrote:
>> But I do wonder, how would you circumvent an XPath expression such as >> this? >> >> select="//page[@name = $pagename]/content[@lang = $lang]/block[@id = >> $block_id]" > > > This expression: > > > //page[@name = $pagename and anInterestingXPathExpression] > > will produce the page with name given by $pagename only when the > "anInterestingXPathExpression" is true. > > In this way I could test whether certain elements have certain values, > ..., etc. > > In case the dynamically generated XPath expression is evaluated within > an XSLT processor, then the document() function is very likely to be > referenced within the injected part of the expression. > > The same goes for any extension functions that might be supported.
Ok, but how would someone be able to append " and anInterestingXPathExpression" to the $pagename variable? Just adding " or 1 = 1"to the incoming value (as would be the case with SQL injection) doesn't work with Sablotron, Saxon, libxslt nor Xalan-J. The processors see the value of $pagename as [@name = 'home.html and 1 = 1'] rather than as [@name = home.html and 1 = 1]
Honestly, posting how to do this to the list may not be the best idea, but I sure would like to be able to say that the methodology I'm following is sound 8~/
Thanks again for the ideas and feedback.
Ted
-- Cheers, Dimitre Novatchev --------------------------------------- Truly great madness cannot be achieved without significant intelligence.
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: [xsl] XSL Injection, is it poss, G. T. Stresen-Reuter | Thread | [xsl] Problem involving position() , Pankaj Bishnoi |
RE: [xsl] Multibyte language only , Karen McAdams | Date | RE: [xsl] Multibyte language only , Florent Georges |
Month |