How to prevent XPath/XML injection in .NET

Question

How can I prevent XPATH injection in the .NET Framework?

We were previously using string concatenation to build XPATH statements, but found that end users could execute some arbitrary XPATH. For example:

string queryValue = "pages[@url='" + USER_INPUT_VALUE + "']";
node = doc.DocumentElement.SelectSingleNode(queryValue);

Would it be sufficient to strip out single and double quotes from input strings?

Or, does the .NET framework support parameterized XPATH queries?

Dimitre Novatchev · Accepted Answer · 2011-06-20T15:57:04.443

The main idea in preventing an XPath injection is to pre-compile the XPath expression you want to use and to allow variables (parameters) in it, which during the evaluation process will be substituted by user-entered values.

In .NET:

Have your XPath expresion pre-compiled with XPathExpression.Compile().
Use the XPathExpression.SetContext() Method to specify as context an XsltContext object that resolves some specific variables to the user-entered values.

You can read more about how to evaluate an XPath expression that contains variables here.

This text contains good and complete examples.

score 2 · Answer 2 · answered Jun 17 '11 at 05:42

2

Strongly typed parameters are available if you use a full-blown XsltTransform.

answered Jun 17 '11 at 05:42

Serguei

2,910
3
24
34

In my case, I am just trying to search for a node in an XML file. So XSLT is overkill. – frankadelic Jun 17 '11 at 23:57
Strongly typed parameters are possible not only using an XSLT transformation -- see my answer. – Dimitre Novatchev Jun 18 '11 at 03:40

score 1 · Answer 3 · answered Jun 17 '11 at 10:13

1

Parameterized XPath is possible if you use Saxon as your XPath processor.

answered Jun 17 '11 at 10:13

Michael Kay

156,231
11
92
164

score 0 · Answer 4 · answered Jun 17 '11 at 06:09

0

Instead of strongly typed parameters you could decrease the options for a user. Why give them full control if you do not want that?

Provide the user with a couple of option to select from and then create the query.

Allowing the user to enter any string is asking for trouble or a lot of work.

answered Jun 17 '11 at 06:09

Emond

50,210
11
84
115

What you're suggesting sounds like sanitizing input. Can you provide the set of characters which must be filtered for XPATH? – frankadelic Jun 18 '11 at 00:00
@frankadelic: You don't need "a set of characters" at all. The way to protect from an XPath injection is to use a pre-compiled XPath expressions that contains variables. See my answer for explanation and links to the relevant .NET documentation. – Dimitre Novatchev Jun 18 '11 at 03:38
Yes, that is what I meant. Do not allow string input. Give some option buttons and check boxes and hard code the queries. – Emond Jun 18 '11 at 07:09
Thanks, however, in my use case I cannot reduce the input choice to a set of options. If that were the case, I would use a whitelist approach. – frankadelic Jun 20 '11 at 15:09

How to prevent XPath/XML injection in .NET

4 Answers4

Linked