How to prevent the implementation of XPath / XML in .NET.

Question

How to prevent the implementation of XPath / XML in .NET.

How can I prevent XPATH implementation in the .NET Framework?

Previously, we used string concatenation to create XPATH instructions, but found that end users can execute arbitrary XPATHs. For instance:

string queryValue = "pages[@url='" + USER_INPUT_VALUE + "']"; node = doc.DocumentElement.SelectSingleNode(queryValue);

Would it be sufficient to exclude single and double quotes from input strings?

Or is .NET support supported in parameterized XPATH queries?

+6

xml .net xpath code-injection

frankadelic Jun 17 '11 at 5:28

source share

4 answers

Strongly typed options are available if you use the full-blown XsltTransform .

+2

Serguei Jun 17 '11 at 5:42

source share

Parameterized XPath is possible if you use Saxon as an XPath processor.

+1

Michael kay Jun 17 '11 at 10:13

source share

Instead of strongly typed parameters, you can reduce the parameters for the user. Why give them full control if you don't want to?

Provide the user with a couple of choices and then create a query.

Allowing the user to enter any line asks for problems or a lot of work.

0

Erno de weerd Jun 17 '11 at 6:09

source share

Dimitre novatchev · Accepted Answer · 2011-06-18T03:34:52+0000

The main idea of preventing XPath implementation is to precompile the XPath expression that you want to use and enable the variables (parameters) in it that will be replaced by user-entered values during the evaluation process .

In .NET :

You have an XPath expression precompiled with XPathExpression.Compile () .
Use the XPathExpression.SetContext () Method to specify an XsltContext as the context that resolves defined variables to user-entered values.

You can learn more about how to evaluate an XPath expression that contains variables here .

This text contains good and complete examples.

How to prevent the implementation of XPath / XML in .NET.

More articles: