Page History

...

Wiki Markup
In addition, OWASP \[[OWASP 2005\|AA. Java References#OWASPBibliography#OWASP 05]\] recommends

Wiki Markup
\[Prevention of XPath injection\] requires the following characters to be removed (ie prohibited) or properly escaped:
< > / ' = " to prevent straight parameter injection
XPath queries should not contain any meta characters (such as ' = * ? // or similar)
XSLT expansions should not contain any user input, or if they do, that you comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.

...

Wiki Markup

\[[Fortify 2008|AA. Java References#FortifyBibliography#Fortify 08]\] "Input Validation and Representation: XML Injection"
\[[Sen 2007|AA. Java References#SenBibliography#Sen 07]\]
\[[Sun 2006|AA. Java References#SunBibliography#Sun 06]\] [Ensure Data Security|http://java.sun.com/developer/technicalArticles/xml/jaxp1-3/index.html#Ensure%20Data%20Security]
\[[OWASP 2005|AA. Java References#OWASPBibliography#OWASP 05]\] [Testing for XPath Injection|http://www.owasp.org/index.php/XPath_Injection_Testing_AoC]
\[[MITRE 2009|AA. Java References#MITREBibliography#MITRE 09]\] [CWE ID 643|http://cwe.mitre.org/data/definitions/247.html] "Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"

...

Space shortcuts

Page tree

Versions Compared

Old Version 59

New Version 60

Key