我怎样才能prevent XPath注入在.NET Framework?
How can I prevent XPATH injection in the .NET Framework?
我们previously使用字符串连接来构建XPATH语句,却发现最终用户可以执行任意XPATH。例如:
We were previously using string concatenation to build XPATH statements, but found that end users could execute some arbitrary XPATH. For example:
string queryValue = "pages[@url='" + USER_INPUT_VALUE + "']";
node = doc.DocumentElement.SelectSingleNode(queryValue);
难道是足以去掉单引号和双引号的输入字符串?
Would it be sufficient to strip out single and double quotes from input strings?
或者说,在.NET框架的支持参数的XPath查询?
Or, does the .NET framework support parameterized XPATH queries?
推荐答案
pventing的XPath注入在$ P $的主要思想是,以pre-编译要使用的XPath EX pression并允许变量(参数)的它,这在评估过程中会通过用户输入的值来代替
在.NET中
让您的XPath EX $ P $心灵术士pre-编译的的 XPathEx pression.Compile()
Have your XPath expresion pre-compiled with XPathExpression.Compile().
使用 XPathEx pression.SetContext( )方法以指定的上下文中的的 XsltContext 对象,解决了一些具体的变量到用户输入的值。
Use the XPathExpression.SetContext() Method to specify as context an XsltContext object that resolves some specific variables to the user-entered values.
您可以阅读更多关于如何评价包含变量的的
You can read more about how to evaluate an XPath expression that contains variables here.
这个文本包含良好的,完整的例子。
This text contains good and complete examples.
相关推荐
最新文章