34 lines
961 B
Plaintext
34 lines
961 B
Plaintext
Although filters are optional in XPath expressions, for performance and security reasons, a at least one filter should always be specified to prevent reading the whole table.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,text]
|
|
----
|
|
/Employees/Employee/UserID |
|
|
/Employees/Employee/FirstName |
|
|
/Employees/Employee/LastName |
|
|
/Employees/Employee/SSN |
|
|
/Employees/Employee/Salary
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
[source,text]
|
|
----
|
|
/Employees/Employee[Managers/Manager/text() = Joe]/UserID |
|
|
/Employees/Employee[Managers/Manager/text() = Joe]/FirstName |
|
|
/Employees/Employee[Managers/Manager/text() = Joe]/LastName |
|
|
/Employees/Employee[Managers/Manager/text() = Joe]/SSN |
|
|
/Employees/Employee[Managers/Manager/text() = Joe]/Salary
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
|
|
* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
|
|
|