include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
// === javax.xml.xpath.XPath ===
import javax.xml.namespace.QName;
import javax.xml.xpath.XPath;

import org.xml.sax.InputSource;

class M {
    void foo(XPath xpath, String expression, InputSource source, QName returnType, Object item) throws Exception {
        xpath.compile(expression); // Sensitive
        xpath.evaluate(expression, source); // Sensitive
        xpath.evaluate(expression, source, returnType); // Sensitive
        xpath.evaluate(expression, item); // Sensitive
        xpath.evaluate(expression, item, returnType); // Sensitive
    }
}
----

----
// === Apache XML Security ===
import org.apache.xml.utils.PrefixResolver;
import org.apache.xml.security.utils.XPathAPI;
import org.w3c.dom.Node;

class M {
    void foo(XPathAPI api, Node contextNode, String str, Node namespaceNode, PrefixResolver prefixResolver,
            Node xpathnode) throws Exception {
        api.evaluate(contextNode, xpathnode, str, namespaceNode); // Sensitive
        api.selectNodeList(contextNode, xpathnode, str, namespaceNode); // Sensitive
    }
}
----

----
// === Apache Xalan ===
import org.apache.xml.utils.PrefixResolver;
import org.apache.xpath.XPathAPI;
import org.w3c.dom.Node;

class M {
    void foo(XPathAPI api, Node contextNode, String str, Node namespaceNode, PrefixResolver prefixResolver)
            throws Exception {
        XPathAPI.eval(contextNode, str); // Sensitive
        XPathAPI.eval(contextNode, str, namespaceNode); // Sensitive
        XPathAPI.eval(contextNode, str, prefixResolver); // Sensitive
        XPathAPI.selectNodeIterator(contextNode, str); // Sensitive
        XPathAPI.selectNodeIterator(contextNode, str, namespaceNode); // Sensitive
        XPathAPI.selectNodeList(contextNode, str); // Sensitive
        XPathAPI.selectNodeList(contextNode, str, namespaceNode); // Sensitive
        XPathAPI.selectSingleNode(contextNode, str); // Sensitive
        XPathAPI.selectSingleNode(contextNode, str, namespaceNode); // Sensitive
    }
}
----

----
// === org.apache.commons.jxpath ===
import org.apache.commons.jxpath.JXPathContext;

abstract class A extends JXPathContext{
    A(JXPathContext compilationContext, Object contextBean) {
        super(compilationContext, contextBean);
    }


    void foo(JXPathContext context, String str, Object obj, Class<?> requiredType) {
        JXPathContext.compile(str); // Sensitive
        this.compilePath(str); // Sensitive
        context.createPath(str); // Sensitive
        context.createPathAndSetValue(str, obj); // Sensitive
        context.getPointer(str); // Sensitive
        context.getValue(str); // Sensitive
        context.getValue(str, requiredType); // Sensitive
        context.iterate(str); // Sensitive
        context.iteratePointers(str); // Sensitive
        context.removeAll(str); // Sensitive
        context.removePath(str); // Sensitive
        context.selectNodes(str); // Sensitive
        context.selectSingleNode(str); // Sensitive
        context.setValue(str, obj); // Sensitive
    }
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]