Re: [xsl] XSL Injection, is it possible?

Subject: Re: [xsl] XSL Injection, is it possible?
From: "G. T. Stresen-Reuter" <tedmasterweb@xxxxxxx>
Date: Tue, 30 May 2006 19:26:26 +0100
On May 30, 2006, at 5:13 PM, Dimitre Novatchev wrote:

But I do wonder, how would you circumvent an XPath expression such as

select="//page[@name = $pagename]/content[@lang = $lang]/block[@id =

This expression:

//page[@name = $pagename and anInterestingXPathExpression]

will produce the page with name given by $pagename only when the
"anInterestingXPathExpression" is true.

In this way I could test whether certain elements have certain values, ..., etc.

In case the dynamically generated XPath expression is evaluated within
an XSLT processor, then the document() function is very likely to be
referenced within the injected part of the expression.

The same goes for any extension functions that might be supported.

Ok, but how would someone be able to append " and anInterestingXPathExpression" to the $pagename variable? Just adding " or 1 = 1"to the incoming value (as would be the case with SQL injection) doesn't work with Sablotron, Saxon, libxslt nor Xalan-J. The processors see the value of $pagename as [@name = 'home.html and 1 = 1'] rather than as [@name = home.html and 1 = 1]

Honestly, posting how to do this to the list may not be the best idea, but I sure would like to be able to say that the methodology I'm following is sound 8~/

Thanks again for the ideas and feedback.


Current Thread