Stylus Studio® Developer Network | Contact Us | Email this page

PRODUCTS

TRY

BUY

LEARN

SUPPORT

COMPANY

Cart

[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: XSL Injection, is it possible? Play the video Subject: Re: XSL Injection, is it possible? From: "G. T. Stresen-Reuter" <tedmasterweb@xxxxxxx> Date: Tue, 30 May 2006 13:16:54 +0100 On May 30, 2006, at 2:34 AM, Dimitre Novatchev wrote: There are some applications that allow the end user to enter an XPath expression (oh, why does this sound somewhat familiar to me :o) ), and the possibility for *XPath Injection* is a very real one. This was precisely the concern I had but lacked the language to express. Of course our system uses user input in XPath expressions. I'll have to go back and quadruple check that the origin and format of the variables are what I expect them to be or I could have some problems! But I do wonder, how would you circumvent an XPath expression such as this? select="//page[@name = $pagename]/content[@lang = $lang]/block[@id = $block_id]" It seems to me that if the variables aren't exactly what the system expects, no match is found and no results are returned. Passing * as the $pagename also doesn't have the expected result since it seems be seen as the literal asterisk and not as the wildcard character. Am I missing something? Thanks in advance and for this feedback. Very helpful indeed! Ted Stresen-Reuter Current Thread Re: XSL Injection, is it possible?, (continued) David Carlisle - 29 May 2006 22:55:06 -0000 G. T. Stresen-Reuter - 30 May 2006 11:57:02 -0000 Dimitre Novatchev - 30 May 2006 01:34:43 -0000 M. David Peterson - 30 May 2006 06:57:49 -0000 G. T. Stresen-Reuter - 30 May 2006 12:17:36 -0000 <= Dimitre Novatchev - 30 May 2006 16:14:08 -0000 G. T. Stresen-Reuter - 30 May 2006 18:27:26 -0000 Dimitre Novatchev - 30 May 2006 19:13:24 -0000 <- Previous Index Next -> Re: XSL Injection, is it poss, M. David Peterson Thread Re: XSL Injection, is it poss, Dimitre Novatchev Re: XSL Injection, is it poss, G. T. Stresen-Reuter Date [xml] using schemas/xslt/xinc, Nestor Urquiza Month

PURCHASE STYLUS STUDIO ONLINE TODAY! Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Cast Your Vote We need your help – Vote for DataDirect XML Products! Best SOA or XML site Winners and finalists announced at SOA World Conference in November. Download The World's Best XML IDE! Accelerate XML development with our award-winning XML IDE - Download a free trial today! Don't miss another message! Subscribe to this list today. Email First Name Last Name Company Subscribe in XML format RSS 2.0 Atom 0.3

Stylus Studio® and DataDirect XQuery™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2007 All Rights Reserved.