...
This guideline is a specific example of the broadly scoped IDS51-JG 07. Prevent code injection.
XML Path Injection Example
...
- Treat all user input as untrusted, and perform appropriate sanitization.
- When sanitizing user input, verify the correctness of the data type, length, format, and content. For example, use a regular expression that checks for XML tags and special characters in user input. This practice corresponds to input sanitization. See IDS51-JG07. Prevent code injection for additional details.
- In a client-server application, perform validation at both the client and the server sides.
- Extensively test applications that supply, propagate, or accept user input.
...