Re: [xsl] XSL Injection, is it possible?

Subject: Re: [xsl] XSL Injection, is it possible?
From: "G. T. Stresen-Reuter" <tedmasterweb@xxxxxxx>
Date: Tue, 30 May 2006 13:16:54 +0100
On May 30, 2006, at 2:34 AM, Dimitre Novatchev wrote:

There are some applications that allow the end user to enter an XPath
expression (oh, why does this sound somewhat familiar to me :o)    ),
and the possibility for *XPath Injection* is a very real one.

This was precisely the concern I had but lacked the language to express. Of course our system uses user input in XPath expressions. I'll have to go back and quadruple check that the origin and format of the variables are what I expect them to be or I could have some problems!

But I do wonder, how would you circumvent an XPath expression such as this?

select="//page[@name = $pagename]/content[@lang = $lang]/block[@id = $block_id]"

It seems to me that if the variables aren't exactly what the system expects, no match is found and no results are returned. Passing * as the $pagename also doesn't have the expected result since it seems be seen as the literal asterisk and not as the wildcard character. Am I missing something?

Thanks in advance and for this feedback. Very helpful indeed!

Ted Stresen-Reuter

Current Thread