trary data by crafting test conditions to extract one byte of information at

substring(name(parent::*[position()=1]),1,1)=’a’

■

Having extracted the name of the parent node, use a series of conditions

with the following form to extract all of the data within the XML tree:

substring(//parentnodename[position()=1]/child::node()

[position()=1]/text(),1,1)=’a’

Preventing XPath Injection

If it is felt necessary to insert user-supplied input into an XPath query, this

operation should only be performed on simple items of data which can be sub-

jected to strict input validation. The user input should be checked against a

white list of acceptable characters, which should ideally include only alphanu-

meric characters. Characters that may be used to interfere with the XPath

query should be blocked, including 

( ) = ‘ [ ] : , * /

and all whitespace.

Any input that does not match the white list should be rejected, not sanitized.