[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: XSL Injection, is it possible?
On May 30, 2006, at 5:13 PM, Dimitre Novatchev wrote:
But I do wonder, how would you circumvent an XPath expression such as this? Ok, but how would someone be able to append " and anInterestingXPathExpression" to the $pagename variable? Just adding " or 1 = 1"to the incoming value (as would be the case with SQL injection) doesn't work with Sablotron, Saxon, libxslt nor Xalan-J. The processors see the value of $pagename as [@name = 'home.html and 1 = 1'] rather than as [@name = home.html and 1 = 1] Honestly, posting how to do this to the list may not be the best idea, but I sure would like to be able to say that the methodology I'm following is sound 8~/ Thanks again for the ideas and feedback. Ted
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|