...
In this noncompliant code example, a user name and password are read from the user and used to construct the query string. The password is passed as a char array, and then hashed, all to comply with MSC51-J. Store passwords using a hash function and MSC56MSC63-JJG. Limit the lifetime of sensitive data.
...
[Fortify 2008] "Input Validation and Representation: XML Injection"
[MITRE 2009] CWE ID 643 "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"
[OWASP 2005] Testing for XPath Injection
[Sen 2007]
[Sun 2006] Ensure Data Security
...
VOID IDS08-J. Prevent XML Injection 00. Input Validation and Data Sanitization (IDS) VOID IDS10-J. Prevent XML external entity attacks