...
[Prevention of XPath injection] requires the following characters to be removed (ie, prohibited) or properly escaped:
< > / ' = "to prevent straight parameter injection- XPath queries should not contain any meta characters (such as
' = * ? //or similar)- XSLT expansions should not contain any user input, or if they do, [you should] comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy
Related Guidelines
| MITRE 2009CWE | CWE-643, Failure to sanitize data within XPath expressions (aka "XPath injection") |
...