如何prevent的XPath / XML注入在.NET [英] How to prevent XPath/XML injection in .NET

问题描述

我怎样才能prevent XPath注入在.NET Framework？

How can I prevent XPATH injection in the .NET Framework?

我们previously使用字符串连接来构建XPATH语句，却发现最终用户可以执行任意XPATH。例如：

We were previously using string concatenation to build XPATH statements, but found that end users could execute some arbitrary XPATH. For example:

string queryValue = "pages[@url='" + USER_INPUT_VALUE + "']";
node = doc.DocumentElement.SelectSingleNode(queryValue);

难道是足以去掉单引号和双引号的输入字符串？

Would it be sufficient to strip out single and double quotes from input strings?

或者说，在.NET框架的支持参数的XPath查询？

Or, does the .NET framework support parameterized XPATH queries?

推荐答案

pventing的XPath注入在$ P $的主要思想是，以pre-编译要使用的XPath EX pression并允许变量（参数）的它，这在评估过程中会通过用户输入的值来代替

在.NET中

1. 让您的XPath EX $ P $心灵术士pre-编译的的 XPathEx pression.Compile（）

1. Have your XPath expresion pre-compiled with XPathExpression.Compile().

使用 XPathEx pression.SetContext（ ）方法以指定的上下文中的的 XsltContext 对象，解决了一些具体的变量到用户输入的值。

Use the XPathExpression.SetContext() Method to specify as context an XsltContext object that resolves some specific variables to the user-entered values.

您可以阅读更多关于如何评价包含变量的的

You can read more about how to evaluate an XPath expression that contains variables here.

这个文本包含良好的，完整的例子。

This text contains good and complete examples.

这篇关于如何prevent的XPath / XML注入在.NET的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！