The components used for constructing the XPath expression might include
sensitive information, possibly making it a malicious XPath
expression that
could lead to XPath
injections. It is recommended to have the sensitive
information in an XPath
expression followed by pre-compiling the query and
using variable references to include the same for safer construction.
When using the github.com/ChrisTrenkamp/goxpath
module, creating a function
that accepts *goxpath.Opts
parameter is recommended. Using the function, it
would be possible to set the values of the variable references and should be
used when calling Exec()
, Exec{Bool|Num|Node}()
, ParseExec()
, or
MustExec()
from github.com/ChrisTrenkamp/goxpath
.
func example(r *http.Request, doc tree.Node) {
password := r.Form.Get("password")
// NOTE: password directly used in XPath expression
// construction.
xPath := goxpath.MustParse("abc=" + password + ",xyz")
xPath.ExecBool(doc)
}
func example(r *http.Request, doc tree.Node) {
password := r.Form.Get("password")
xPath := goxpath.MustParse("abc=$password,xyz")
// NOTE: password not anymore directly used in XPath expression
// construction.
// Using the below structure you can then set the values of the
// variable references e.g., password.
opt := func(o *goxpath.Opts) {
o.Vars["password"] = tree.String(password)
}
xPath.ExecBool(doc, opt)
}