f22ae4c3e2
* Add rule information * Add lxml * Add Python stdlib * Change the XPath queries such that they're correct * Remove nonexistant highlighting reference * Add lxml as allowed framework * Split up parameterized queries and validation * Fix typo * Make changes in Java docs * Fix .NET text * Update rules/S2091/python/how-to-fix-it/python.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update common texts * Update code samples * Fix typo * Use correct syntax for lxml * Apply code review fixes Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com>
14 lines
806 B
Plaintext
14 lines
806 B
Plaintext
==== Validation
|
|
|
|
In case XPath parameterized queries are not available, the most secure way to protect against injections is to validate the input before using it in an XPath query.
|
|
|
|
**Important**: The application must do this validation server-side. Validating this client-side is insecure.
|
|
|
|
Input can be validated in multiple ways:
|
|
|
|
* By checking against a list of authorized and secure strings that the application is allowed to use in a query.
|
|
* By ensuring user input is restricted to a specific range of characters (e.g., the regex `/^[a-zA-Z0-9]*$/` only allows alphanumeric characters.)
|
|
* By ensuring user input does not include any XPath metacharacters, such as `"`, `'`, `/`, `@`, `=`, `*`, `[`, `]`, `(` and `)`.
|
|
|
|
If user input is not considered valid, it should be rejected as it is unsafe.
|