Subject: Re: [xsl] XSL Injection, is it possible?|
From: "M. David Peterson" <m.david@xxxxxxxxxx>
Date: Tue, 30 May 2006 00:57:34 -0600
oh, why does this sound somewhat familiar to me <
There are some applications that allow the end user to enter an XPath expression (oh, why does this sound somewhat familiar to me :o) ), and the possibility for *XPath Injection* is a very real one.
Even if the user is only expected to enter an element name, if the input is not checked, it may contain an injected XPath expression.
Search for "xpath injection".