How to prevent XPath/XML injection in .NET

by

The main idea in preventing an XPath injection is to pre-compile the XPath expression you want to use and to allow variables (parameters) in it, which during the evaluation process will be substituted by user-entered values.

In .NET:

  1. Have your XPath expresion pre-compiled with XPathExpression.Compile().

  2. Use the XPathExpression.SetContext() Method to specify as context an XsltContext object that resolves some specific variables to the user-entered values.

You can read more about how to evaluate an XPath expression that contains variables here.

This text contains good and complete examples.

More Related Contents:

  1. Can I use a Regex in an XPath expression?
  2. How to use XPath with XElement or LINQ?
  3. XPath and XSLT 2.0 for .NET? [closed]
  4. Does XSLT have a Split() function?
  5. Best way to get InnerXml of an XElement?
  6. XML – Data At Root Level is Invalid
  7. Simplest way to have a configuration file in a Windows Forms C# application
  8. XmlSerializer: remove unnecessary xsi and xsd namespaces
  9. Deserializing empty xml attribute value into nullable int property using XmlSerializer
  10. Best way to encode text data for XML
  11. how to use XPath with XDocument?
  12. What is the correct format to use for Date/Time in an XML file
  13. Ignore namespaces in LINQ to XML
  14. How to solve “unable to switch the encoding” error when inserting XML into SQL Server
  15. Does .Net 4.5 support XML 1.1 yet (for characters invalid in XML 1.0)?
  16. Why “Data at the root level is invalid. Line 1, position 1.” for XML Document?
  17. “Type not expected”, using DataContractSerializer – but it’s just a simple class, no funny stuff?
  18. Can I serialize Anonymous Types as xml?
  19. How do I specify XML serialization attributes to support namespace prefixes during deserialization in .NET?
  20. Performance: XDocument versus XmlDocument
  21. Using .Net what limitations (if any) are there in using the XmlSerializer?
  22. Serializing a list of Key/Value pairs to XML
  23. Linq: What is the difference between Select and Where
  24. How to remove k__BackingField from json when Deserialize
  25. What are the most valuable .Net Compact Framework Tips, Tricks, and Gotcha-Avoiders? [closed]
  26. Do you think it’s advantageous to switch to Entity Framework? [closed]
  27. .NET DataTable skips rows on Load(DataReader)
  28. Advanced Console IO in .NET
  29. When using PresentationFramework.Aero, do I need to set “Copy Local” to true (and include it in my setup project)?
  30. Java How to extract a complete XML block

Leave a Comment