Although filters are optional in XPath expressions, for performance and security reasons, a at least one filter should always be specified to prevent reading the whole table.


== Noncompliant Code Example

[source,text]
----
/Employees/Employee/UserID |
/Employees/Employee/FirstName |
/Employees/Employee/LastName |
/Employees/Employee/SSN |
/Employees/Employee/Salary
----


== Compliant Solution

[source,text]
----
/Employees/Employee[Managers/Manager/text() = Joe]/UserID | 
/Employees/Employee[Managers/Manager/text() = Joe]/FirstName | 
/Employees/Employee[Managers/Manager/text() = Joe]/LastName | 
/Employees/Employee[Managers/Manager/text() = Joe]/SSN | 
/Employees/Employee[Managers/Manager/text() = Joe]/Salary 
----


== See

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure