How to prevent XPath/XML injection in .NET

Question

How can I prevent XPATH injection in the .NET Framework?

We were previously using string concatenation to build XPATH statements, but found that end users could exec

Answer 1

The main idea in preventing an XPath injection is to pre-compile the XPath expression you want to use and to allow variables (parameters) in it, which during the evaluation process will be substituted by user-entered values.

In .NET:

1. Have your XPath expresion pre-compiled with XPathExpression.Compile().

2. Use the XPathExpression.SetContext() Method to specify as context an XsltContext object that resolves some specific variables to the user-entered values.

You can read more about how to evaluate an XPath expression that contains variables here.

This text contains good and complete examples.

Answer 2

Parameterized XPath is possible if you use Saxon as your XPath processor.

Answer 3

Strongly typed parameters are available if you use a full-blown XsltTransform.

Answer 4

Instead of strongly typed parameters you could decrease the options for a user. Why give them full control if you do not want that?

Provide the user with a couple of option to select from and then create the query.

Allowing the user to enter any string is asking for trouble or a lot of work.