XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: XSL Injection, is it possible?

Play the video
Subject: Re: XSL Injection, is it possible?
From: "G. T. Stresen-Reuter" <tedmasterweb@xxxxxxx>
Date: Tue, 30 May 2006 19:26:26 +0100
xslt injection
On May 30, 2006, at 5:13 PM, Dimitre Novatchev wrote:

But I do wonder, how would you circumvent an XPath expression such as
this?

select="//page[@name = $pagename]/content[@lang = $lang]/block[@id =
$block_id]"


This expression:


//page[@name = $pagename and anInterestingXPathExpression]

will produce the page with name given by $pagename only when the
"anInterestingXPathExpression" is true.

In this way I could test whether certain elements have certain values, ..., etc.

In case the dynamically generated XPath expression is evaluated within
an XSLT processor, then the document() function is very likely to be
referenced within the injected part of the expression.

The same goes for any extension functions that might be supported.

Ok, but how would someone be able to append " and anInterestingXPathExpression" to the $pagename variable? Just adding " or 1 = 1"to the incoming value (as would be the case with SQL injection) doesn't work with Sablotron, Saxon, libxslt nor Xalan-J. The processors see the value of $pagename as [@name = 'home.html and 1 = 1'] rather than as [@name = home.html and 1 = 1]

Honestly, posting how to do this to the list may not be the best idea, but I sure would like to be able to say that the methodology I'm following is sound 8~/

Thanks again for the ideas and feedback.

Ted

Current Thread
<- PreviousIndexNext ->
Re: XSL Injection, is it poss, Dimitre Novatchev Thread Re: XSL Injection, is it poss, Dimitre Novatchev
RE: [xml] using schemas/xslt/, Nathan Young -X \(na Date RE: Multibyte language only , Karen McAdams
Month

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.