XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[Home] [By Thread] [By Date] [Recent Entries]

Subject: Re: XSL Injection, is it possible?
From: "G. T. Stresen-Reuter" <tedmasterweb@xxxxxxx>
Date: Tue, 30 May 2006 19:26:26 +0100
On May 30, 2006, at 5:13 PM, Dimitre Novatchev wrote:

But I do wonder, how would you circumvent an XPath expression such as
this?

select="//page[@name = $pagename]/content[@lang = $lang]/block[@id =
$block_id]"


This expression:


//page[@name = $pagename and anInterestingXPathExpression]

will produce the page with name given by $pagename only when the
"anInterestingXPathExpression" is true.

In this way I could test whether certain elements have certain values, ..., etc.

In case the dynamically generated XPath expression is evaluated within
an XSLT processor, then the document() function is very likely to be
referenced within the injected part of the expression.

The same goes for any extension functions that might be supported.

Ok, but how would someone be able to append " and anInterestingXPathExpression" to the $pagename variable? Just adding " or 1 = 1"to the incoming value (as would be the case with SQL injection) doesn't work with Sablotron, Saxon, libxslt nor Xalan-J. The processors see the value of $pagename as [@name = 'home.html and 1 = 1'] rather than as [@name = home.html and 1 = 1]

Honestly, posting how to do this to the list may not be the best idea, but I sure would like to be able to say that the methodology I'm following is sound 8~/

Thanks again for the ideas and feedback.

Ted

Current Thread
<- PreviousIndexNext ->
Re: XSL Injection, is it poss, Dimitre Novatchev Thread Re: XSL Injection, is it poss, Dimitre Novatchev
RE: [xml] using schemas/xslt/, Nathan Young -X \(na Date RE: Multibyte language only , Karen McAdams
Month

XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member