How to prevent XPath/XML injection in .NET

.net xml xpath code-injection

How can I prevent XPATH injection in the .NET Framework?

We were previously using string concatenation to build XPATH statements, but found that end users could execute some arbitrary XPATH. For example:

string queryValue = "pages[@url='" + USER_INPUT_VALUE + "']";
node = doc.DocumentElement.SelectSingleNode(queryValue);

Would it be sufficient to strip out single and double quotes from input strings?

Or, does the .NET framework support parameterized XPATH queries?


The main idea in preventing an XPath injection is to pre-compile the XPath expression you want to use and to allow variables (parameters) in it, which during the evaluation process will be substituted by user-entered values.

In .NET:

  1. Have your XPath expresion pre-compiled with XPathExpression.Compile().

  2. Use the XPathExpression.SetContext() Method to specify as context an XsltContext object that resolves some specific variables to the user-entered values.

You can read more about how to evaluate an XPath expression that contains variables here.

This text contains good and complete examples.


Strongly typed parameters are available if you use a full-blown XsltTransform.


Parameterized XPath is possible if you use Saxon as your XPath processor.

Related

Java Display the Prime Factorization of a number
file download by calling .ashx page
What can we do with ES6 Generator that we cannot with for loop?
android.database.CursorIndexOutOfBoundsException: Index -1 requested
Java JAR can't find file
Docker volume option create folder as "root" user
Siamese Network using Rstudio Keras
Why does calling quit() before exec() not quit the application?
Read and rbind multiple csv files
How will browsers handle ES6 import/export syntax
How to fetch a value as a string in laravel?
Has Python 3 to_bytes been back-ported to python 2.7?