[XSL-LIST Mailing List Archive Home]
[By Thread]
[By Date]
This expression:
//page[@name = $pagename and anInterestingXPathExpression]
In this way I could test whether certain elements have certain values, ..., etc.
The same goes for any extension functions that might be supported.
On 5/30/06, G. T. Stresen-Reuter <tedmasterweb@xxxxxxx> wrote:
Re: [xsl] XSL Injection, is it possible?
|
Subject: Re: [xsl] XSL Injection, is it possible? From: "Dimitre Novatchev" <dnovatchev@xxxxxxxxx> Date: Tue, 30 May 2006 09:13:52 -0700 |
But I do wonder, how would you circumvent an XPath expression such as this?
select="//page[@name = $pagename]/content[@lang = $lang]/block[@id = $block_id]"
This expression:
//page[@name = $pagename and anInterestingXPathExpression]
will produce the page with name given by $pagename only when the "anInterestingXPathExpression" is true.
In this way I could test whether certain elements have certain values, ..., etc.
In case the dynamically generated XPath expression is evaluated within an XSLT processor, then the document() function is very likely to be referenced within the injected part of the expression.
The same goes for any extension functions that might be supported.
-- Cheers, Dimitre Novatchev --------------------------------------- Truly great madness cannot be achieved without significant intelligence.
On 5/30/06, G. T. Stresen-Reuter <tedmasterweb@xxxxxxx> wrote:
On May 30, 2006, at 2:34 AM, Dimitre Novatchev wrote:
> There are some applications that allow the end user to enter an XPath > expression (oh, why does this sound somewhat familiar to me :o) ), > and the possibility for *XPath Injection* is a very real one.
This was precisely the concern I had but lacked the language to express. Of course our system uses user input in XPath expressions. I'll have to go back and quadruple check that the origin and format of the variables are what I expect them to be or I could have some problems!
But I do wonder, how would you circumvent an XPath expression such as this?
select="//page[@name = $pagename]/content[@lang = $lang]/block[@id = $block_id]"
It seems to me that if the variables aren't exactly what the system expects, no match is found and no results are returned. Passing * as the $pagename also doesn't have the expected result since it seems be seen as the literal asterisk and not as the wildcard character. Am I missing something?
Thanks in advance and for this feedback. Very helpful indeed!
Ted Stresen-Reuter
-- Cheers, Dimitre Novatchev --------------------------------------- Truly great madness cannot be achieved without significant intelligence.
| Current Thread |
|---|
|
| <- Previous | Index | Next -> |
|---|---|---|
| Re: [xsl] XSL Injection, is it poss, G. T. Stresen-Reuter | Thread | Re: [xsl] XSL Injection, is it poss, G. T. Stresen-Reuter |
| RE: [xsl] Multibyte language only , Gabriel Osorio | Date | Re: [xsl] Building XML, Mulberry Technologie |
| Month |