Re: XSL Injection, is it possible?

But I do wonder, how would you circumvent an XPath expression such as
this?

select="//page[@name = $pagename]/content[@lang = $lang]/block[@id =
$block_id]"

will produce the page with name given by $pagename only when the
"anInterestingXPathExpression" is true.

In case the dynamically generated XPath expression is evaluated within
an XSLT processor, then the document() function is very likely to be
referenced within the injected part of the expression.

--
Cheers,
Dimitre Novatchev
---------------------------------------
Truly great madness cannot be achieved without significant intelligence.

On May 30, 2006, at 2:34 AM, Dimitre Novatchev wrote:

> There are some applications that allow the end user to enter an XPath
> expression (oh, why does this sound somewhat familiar to me :o)    ),
> and the possibility for *XPath Injection* is a very real one.

This was precisely the concern I had but lacked the language to
express. Of course our system uses user input in XPath expressions.
I'll have to go back and quadruple check that the origin and format of
the variables are what I expect them to be or I could have some
problems!

But I do wonder, how would you circumvent an XPath expression such as
this?

select="//page[@name = $pagename]/content[@lang = $lang]/block[@id =
$block_id]"

It seems to me that if the variables aren't exactly what the system
expects, no match is found and no results are returned. Passing * as
the $pagename also doesn't have the expected result since it seems be
seen as the literal asterisk and not as the wildcard character. Am I
missing something?

Thanks in advance and for this feedback. Very helpful indeed!

Ted Stresen-Reuter

--
Cheers,
Dimitre Novatchev
---------------------------------------
Truly great madness cannot be achieved without significant intelligence.