...
This guideline is a specific example of the broadly scoped 07 IDS52-J. Prevent code injection.
XML Path Injection Example
...
- Treat all user input as untrusted, and perform appropriate sanitization.
- When sanitizing user input, verify the correctness of the data type, length, format, and content. For example, use a regular expression that checks for XML tags and special characters in user input. This practice corresponds to input sanitization. See 07IDS52-J. Prevent code injection for additional details.
- In a client-server application, perform validation at both the client and the server sides.
- Extensively test applications that supply, propagate, or accept user input.
...