[XSL-LIST Mailing List Archive Home] [By Thread] [By Date]

[xsl] XSL Injection, is it possible?

Subject: [xsl] XSL Injection, is it possible?
From: "G. T. Stresen-Reuter" <tedmasterweb@xxxxxxx>
Date: Mon, 29 May 2006 12:36:39 +0100

Hi,

I have a web-based CMS in which all the data is stored in an XML file. I use XSL extensively. I take user input and insert it into the XML file in several different places.

Currently my sanitizing function just escapes <, >, ', and " in the input but I was wondering if anyone knows of other vectors by which attackers can enter. Are these characters recognized by the XSLT engine if they are hex or unicode encoded?

Thanks in advance and I hope this hasn't been covered elsewhere (I haven't been able to find anything on it).

Ted Stresen-Reuter

Current Thread
[xsl] XSL Injection, is it possible? G. T. Stresen-Reuter - 29 May 2006 11:37:18 -0000 <= David Carlisle - 29 May 2006 22:55:06 -0000 G. T. Stresen-Reuter - 30 May 2006 11:57:02 -0000 Dimitre Novatchev - 30 May 2006 01:34:43 -0000 M. David Peterson - 30 May 2006 06:57:49 -0000

<- Previous	Index	Next ->
RE: [xsl] Positional Grouping probl, Florent Georges	Thread	Re: [xsl] XSL Injection, is it poss, David Carlisle
RE: [xsl] Positional Grouping probl, Florent Georges	Date	Re: [xsl] XSL Injection, is it poss, David Carlisle
	Month

© 2002-2008 SyncRO Soft Ltd. All rights reserved.
                                             | Sitemap | Privacy Policy 
 This website was created & generated with
                                             <oXygen/> XML Editor


	Keywords unicode xml xsl xslt