Using unvalidated XML can expose an application to several types of XML-related attacks:

* XML injection - the structure and/or contents of the document are changed by the addition of extra elements
* XML entity expansion - the size of the document is ballooned by injecting elements that expand exponentially, exhausing server resources
* XML external entity injection - entities are injected which result dynamically including data from another source, such as a sensitive file on the filesystem.

This rule checks that method parameters are not unconditionally used directly in XML.


=== Noncompliant code example

[source,text]
----
private string writeXml(OleDbDataReader odr) {

  XmlTextWriter xTWriter = null;
  string key = String.Empty;
  string value = String.Empty;

  try 
  {
    while(oDR.Read()) 
    {
      key = odr.GetValue(0);
      value = odr.GetValue(1);
      xTWriter.WriteElementString(key, value);  // Noncompliant
    }
  }
}
----


=== Compliant solution

[source,text]
----

private string writeXml(OleDbDataReader odr) {

  XmlTextWriter xTWriter = null;
  string key = String.Empty;
  string value = String.Empty;

  try 
  {
    while(oDR.Read()) 
    {
      key = System.SecurityElement.Escape(odr.GetValue(0));
      value = System.SecurityElement.Escape(odr.GetValue(1));
      xTWriter.WriteElementString(key, value); 
    }
  }
}
----