Potentially unsanitized user input in XPath queries can allow an attacker to control the query in unwanted or insecure ways. This might grant the attacker access to any data, not just the data that the original query intended.
1import express, {Request, Response} from 'express'
2import * as xpath from 'xpath'
3import {DOMParser} from 'xmldom'
4var app = express();
5function xpathInjectionNoncompliant() {
6 app.get(
7 "www.example.com",
8 function (req: Request, res: Response) {
9 var userName = req.params.userName;
10 var xml = "<book><title>Harry Potter</title></book>";
11 var doc = new DOMParser().parseFromString(xml);
12 // Noncompliant: passing user-input directly in an XPath expression.
13 var nodes = xpath.select("//title" + userName, doc);
14 },
15 );
16}
1import express, {Request, Response} from 'express'
2import * as xpath from 'xpath'
3import {DOMParser} from 'xmldom'
4var app = express();
5function xpathInjectionCompliant() {
6 app.get(
7 "www.example.com",
8 function (req: Request, res: Response) {
9 var userName = req.params.userName;
10 var xml = "<book><title>Harry Potter</title></book>";
11 var doc = new DOMParser().parseFromString(xml);
12 // Compliant: passing sanitized user-input in an XPath expression.
13 var nodes = xpath.select("//title" + escape(userName), doc);
14 },
15 );
16}