OWASP Periodic Table of Vulnerabilities - XPath/XQuery Injection
Root Cause Summary
The application unsafely incorporates user data into an XQuery or XPath pattern which can change the logic of the query.
Browser / Standards Solution
Generic Framework Solution
The framework should provide a safe wrapper for XML search operations which canonicalizes and parameterizes patterns or avoids injection pitfalls altogether. Use only safe XQuery and XPath libraries or a subset of those libraries which is not vulnerable to injection.
Custom Framework Solution
Custom Code Solution
Discussion / Controversy