headers
Alex Klizhentas | 6 Sep 14:18

Preventing XPath injection

Hi All, 
I'm facing the following issue:

xslt transformations accept xpath expressions as parameters, and if you write something like:

transform(a,param = " '  '  ' ") - xpath evaluation will fail. Is there any common/standard way to prevent that?

Alex

_______________________________________________
lxml-dev mailing list
lxml-dev <at> codespeak.net
http://codespeak.net/mailman/listinfo/lxml-dev
Permalink | Reply |
headers
Geoffrey Sneddon | 6 Sep 15:24

Re: Preventing XPath injection


On 6 Sep 2008, at 13:18, Alex Klizhentas wrote:

> Hi All, I'm facing the following issue:
>
> xslt transformations accept xpath expressions as parameters, and if  
> you
> write something like:
>
> transform(a,param = " '  '  ' ") - xpath evaluation will fail. Is  
> there any
> common/standard way to prevent that?

No, what I've been using is:

def escapeXPathString(string):
	return u"concat('', '%s')" % string.replace(u"'", u"', \"'\", '")

The first parameter to the concat function is needed because it must  
always have at least two parameters.

--
Geoffrey Sneddon
<http://gsnedders.com/>
Permalink | Reply |
headers
Alex Klizhentas | 6 Sep 19:52

Re: Preventing XPath injection

That's strange, I thought it should be quoted like: &apos;

2008/9/6 Geoffrey Sneddon <foolistbar <at> googlemail.com>

On 6 Sep 2008, at 13:18, Alex Klizhentas wrote:

Hi All, I'm facing the following issue:

xslt transformations accept xpath expressions as parameters, and if you
write something like:

transform(a,param = " '  '  ' ") - xpath evaluation will fail. Is there any
common/standard way to prevent that?

No, what I've been using is:

def escapeXPathString(string):
       return u"concat('', '%s')" % string.replace(u"'", u"', \"'\", '")

The first parameter to the concat function is needed because it must always have at least two parameters.


--
Geoffrey Sneddon
<http://gsnedders.com/>




--
Regards,
Alex
_______________________________________________
lxml-dev mailing list
lxml-dev <at> codespeak.net
http://codespeak.net/mailman/listinfo/lxml-dev
Permalink | Reply |
headers
Geoffrey Sneddon | 7 Sep 17:53

Re: Preventing XPath injection


On 6 Sep 2008, at 18:52, Alex Klizhentas wrote:

> That's strange, I thought it should be quoted like: &apos;

Nope. A string is "[^"]*" or '[^']*' — it is exactly what is between  
the quotes.

--
Geoffrey Sneddon
<http://gsnedders.com/>
Permalink | Reply |
headers
Ian Bicking | 7 Sep 19:16
Gravatar

Re: Preventing XPath injection

Geoffrey Sneddon wrote:
> On 6 Sep 2008, at 18:52, Alex Klizhentas wrote:
> 
>> That's strange, I thought it should be quoted like: &apos;
> 
> Nope. A string is "[^"]*" or '[^']*' — it is exactly what is between  
> the quotes.

When I was trying to figure out CSS to XPath translation, I tried to 
figure out how string quoting worked in XPath.  Unfortunately I couldn't 
find any reference to string quoting in the specs (though of course I 
might have missed it).  This seemed like a very peculiar omission.

--

-- 
Ian Bicking : ianb <at> colorstudy.com : http://blog.ianbicking.org
Permalink | Reply |
headers
Marius Gedminas | 7 Sep 20:05

Re: Preventing XPath injection

On Sun, Sep 07, 2008 at 12:16:25PM -0500, Ian Bicking wrote:
> Geoffrey Sneddon wrote:
> > On 6 Sep 2008, at 18:52, Alex Klizhentas wrote:
> > 
> >> That's strange, I thought it should be quoted like: &apos;
> > 
> > Nope. A string is "[^"]*" or '[^']*' — it is exactly what is between  
> > the quotes.
> 
> When I was trying to figure out CSS to XPath translation, I tried to 
> figure out how string quoting worked in XPath.  Unfortunately I couldn't 
> find any reference to string quoting in the specs (though of course I 
> might have missed it).  This seemed like a very peculiar omission.

XPath 2.0 spec rectifies that:

  The value of a string literal is an atomic value whose type is
  xs:string and whose value is the string denoted by the characters
  between the delimiting apostrophes or quotation marks. If the literal
  is delimited by apostrophes, two adjacent apostrophes within the
  literal are interpreted as a single apostrophe. Similarly, if the
  literal is delimited by quotation marks, two adjacent quotation marks
  within the literal are interpreted as one quotation mark.

      -- http://www.w3.org/TR/xpath20/#id-literals

XPath 1.0 is silent on the matter.  I suppose you could always
concatenate strings, e.g. concat("Look, it's a ", '"quoted string"!')...

Marius Gedminas
--

-- 
Hoping the problem  magically goes away  by ignoring it is the "microsoft
approach to programming" and should never be allowed.
                -- Linus Torvalds

_______________________________________________
lxml-dev mailing list
lxml-dev <at> codespeak.net
http://codespeak.net/mailman/listinfo/lxml-dev
Permalink | Reply |
headers
Geoffrey Sneddon | 7 Sep 20:24

Re: Preventing XPath injection


On 7 Sep 2008, at 19:05, Marius Gedminas wrote:

> XPath 1.0 is silent on the matter.  I suppose you could always
> concatenate strings, e.g. concat("Look, it's a ", '"quoted  
> string"!')...

I just read interpreted the XML EBNF as meaning there was no escaping,  
and removed leading/trailing quote char for it to be logical. Which  
seems to be how things work.

--
Geoffrey Sneddon
<http://gsnedders.com/>
Permalink | Reply |
headers
Alex Klizhentas | 8 Sep 16:44

Re: Preventing XPath injection

Hi All,

The context is a first parameter in the xpath/xslt extension functions and the tutorial states that it can be used to save function state.
I wonder whether it is thread safe.

Regards,
Alex
_______________________________________________
lxml-dev mailing list
lxml-dev <at> codespeak.net
http://codespeak.net/mailman/listinfo/lxml-dev
Permalink | Reply |
headers
Stefan Behnel | 8 Sep 17:01

Re: Preventing XPath injection

Hi,

please start a new thread for a new question.

Stefan

Alex Klizhentas wrote:
> The context is a first parameter in the xpath/xslt extension functions and
> the tutorial states that it can be used to save function state.
> I wonder whether it is thread safe.
>
> Regards,
> Alex
Permalink | Reply |
headers
Alex Klizhentas | 8 Sep 17:23

Re: Preventing XPath injection

Sorry, forgot to change the subject field :)

2008/9/8 Stefan Behnel <stefan_ml <at> behnel.de>
Hi,

please start a new thread for a new question.

Stefan


Alex Klizhentas wrote:
> The context is a first parameter in the xpath/xslt extension functions and
> the tutorial states that it can be used to save function state.
> I wonder whether it is thread safe.
>
> Regards,
> Alex




--
Regards,
Alex
_______________________________________________
lxml-dev mailing list
lxml-dev <at> codespeak.net
http://codespeak.net/mailman/listinfo/lxml-dev
Permalink | Reply |
headers
Mike Meyer | 8 Sep 17:32
Face
Favicon

Re: Preventing XPath injection

On Mon, 8 Sep 2008 19:23:45 +0400
"Alex Klizhentas" <klizhentas <at> gmail.com> wrote:

> Sorry, forgot to change the subject field :)

And the "In-Reply-To" and "References" fields - at the very least.

      <mike

> 2008/9/8 Stefan Behnel <stefan_ml <at> behnel.de>
> 
> > Hi,
> >
> > please start a new thread for a new question.
> >
> > Stefan
> >
> >
> > Alex Klizhentas wrote:
> > > The context is a first parameter in the xpath/xslt extension functions
> > and
> > > the tutorial states that it can be used to save function state.
> > > I wonder whether it is thread safe.
> > >
> > > Regards,
> > > Alex
> >
> >
> 
> 

--

-- 
Mike Meyer <mwm <at> mired.org>		http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Permalink | Reply |

Gmane