...
Using this method, the data specified in the userName and password fields cannot be interpreted as executable content at runtime.
Applicability
Failure to validate user input may result in information disclosure and execution of unprivileged code.
According In addition, according to OWASP [OWASP 2005],
[Prevention of XPath injection] requires the following characters to be removed (ie, prohibited) or properly escaped:
< > / ' = "to to prevent straight parameter injection- XPath queries should not contain any meta characters (such as as
' = * ? //or or similar)- XSLT expansions should not contain any user input, or if they do, [you should] comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.
Applicability
...
Bibliography
[Fortify 2008] "Input Validation and Representation: XML Injection"
[MITRE 2009] CWE ID 643 "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"
[OWASP 2005] Testing for XPath Injection
[Sen 2007]
[Sun 2006] Ensure Data Security
...