==== Validation

In case XPath parameterized queries are not available, the most secure way to protect against injections is to validate the input before using it in an XPath query.

**Important**: The application must do this validation server-side. Validating this client-side is insecure.

Input can be validated in multiple ways:

*  By checking against a list of authorized and secure strings that the application is allowed to use in a query.
*  By ensuring user input is restricted to a specific range of characters (e.g., the regex `/^[a-zA-Z0-9]*$/` only allows alphanumeric characters.)
*  By ensuring user input does not include any XPath metacharacters, such as `"`, `'`, `/`, `@`, `=`, `*`, `[`, `]`, `(` and `)`.

If user input is not considered valid, it should be rejected as it is unsafe.