...
- Operating system command interpreter (see guideline IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method)
- A data repository with an SQL-compliant interface
- XML parser
- XPath evaluators
- A SAX (Simple API for XML) or a DOM (Document Object Model) parser
- Lightweight Directory Access Protocol (LDAP) directory service
- Script engines
Many rules address proper filtering sanitization of untrusted input, especially when such input is passed to a component that can interpret commands or instructions.
...