Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
In addition, OWASP \[[OWASP 2005|AA. Bibliography#OWASPReferences#OWASP 05]\] recommends

Wiki Markup
\[Prevention of XPath injection\] requires the following characters to be removed (ie prohibited) or properly escaped:

  • < > / ' = " to prevent straight parameter injection
  • XPath queries should not contain any meta characters (such as ' = * ? // or similar)
  • XSLT expansions should not contain any user input, or if they do, that you comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.

...

Wiki Markup
\[[Fortify 2008|AA. Bibliography#FortifyReferences#Fortify 08]\] "Input Validation and Representation: XML Injection"
\[[MITRE 2009|AA. Bibliography#MITREReferences#MITRE 09]\] [CWE ID 643|http://cwe.mitre.org/data/definitions/247.html] "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"
\[[OWASP 2005|AA. Bibliography#OWASPReferences#OWASP 05]\] [Testing for XPath Injection|http://www.owasp.org/index.php/XPath_Injection_Testing_AoC]
\[[Sen 2007|AA. Bibliography#SenReferences#Sen 07]\]
\[[Sun 2006|AA. Bibliography#SunReferences#Sun 06]\] [Ensure Data Security|http://java.sun.com/developer/technicalArticles/xml/jaxp1-3/index.html#Ensure%20Data%20Security]

...