...
XPath injection occurs when an XML document is used for data storage in a manner similar to a relational database. This way, an XPath injection is similar to an SQL injection attack (MSC34-J. Prevent against SQL Injection), where an attack is able to include query logic in a data field in such a way the the conditional field of the query resolves as a tautology or otherwise gives the attacker access to information it should not be entitled to.
This rule is a specific example of the broadly scoped rule FIO38-J. Validate user input.
XPath Injection Example
Consider the following XML document being used as a database:
...