Subject: Re: [xsl] XSL Injection, is it possible?|
From: "Dimitre Novatchev" <dnovatchev@xxxxxxxxx>
Date: Mon, 29 May 2006 18:34:23 -0700
There are some applications that allow the end user to enter an XPath expression (oh, why does this sound somewhat familiar to me :o) ), and the possibility for *XPath Injection* is a very real one.
Even if the user is only expected to enter an element name, if the input is not checked, it may contain an injected XPath expression.
-- Cheers, Dimitre Novatchev --------------------------------------- Truly great madness cannot be achieved without significant intelligence.
I have a web-based CMS in which all the data is stored in an XML file. I use XSL extensively. I take user input and insert it into the XML file in several different places.
Currently my sanitizing function just escapes <, >, ', and " in the input but I was wondering if anyone knows of other vectors by which attackers can enter. Are these characters recognized by the XSLT engine if they are hex or unicode encoded?
Thanks in advance and I hope this hasn't been covered elsewhere (I haven't been able to find anything on it).