How can I prevent XPATH injection in the .NET Framework?
We were previously using string concatenation to build XPATH statements, but found that end users could execute some arbitrary XPATH. For example:
string queryValue = "pages[@url='" + USER_INPUT_VALUE + "']";
node = doc.DocumentElement.SelectSingleNode(queryValue);
Would it be sufficient to strip out single and double quotes from input strings?
Or, does the .NET framework support parameterized XPATH queries?
The main idea in preventing an XPath injection is to pre-compile the XPath expression you want to use and to allow variables (parameters) in it, which during the evaluation process will be substituted by user-entered values.
In .NET:
Have your XPath expresion pre-compiled with XPathExpression.Compile().
Use the XPathExpression.SetContext() Method to specify as context an XsltContext object that resolves some specific variables to the user-entered values.
You can read more about how to evaluate an XPath expression that contains variables here.
This text contains good and complete examples.
Strongly typed parameters are available if you use a full-blown XsltTransform.
Parameterized XPath is possible if you use Saxon as your XPath processor.
Instead of strongly typed parameters you could decrease the options for a user. Why give them full control if you do not want that?
Provide the user with a couple of option to select from and then create the query.
Allowing the user to enter any string is asking for trouble or a lot of work.
