Reputation: 1307
XML Injection attacks
What is the best way to prevent XML injection attacks? I want to use parameterization, but there is nothing like SQL, so I have to build one. I'm just wondering what's the best way to build one, and what should I be cleansing.
Update
Sorry, it is for XPath. I am writing a quick function to remove all single and double quotes right now, but is there a better way?
Upvotes: 2
Views: 2324
Answers (1)
Reputation: 163342
Many XPath processors/APIs allow you to use variables in your expression, so you can write for example //A[@status=$param] where the value of $param is supplied by the calling code. If you can use that, do, because it prevents all injection attacks. It's also likely to be more efficient than constructing an expression using string concatenation, because it only needs to be compiled once.
Upvotes: 2
Related Questions
- How to prevent XXE attack (XmlDocument in .NET)
- XML Injection C#
- parameterization of xpath query to prevent injection attack
- implementation of xpath injection attack
- XPath injection mitigation
- Preventing Xpath Injection on .net 2.0
- How to avoid XML injection
- How to prevent XPath/XML injection in .NET
- XML security in world wide web
- xml vulnerabilities