nyx/tests/fixtures/xpath_injection/python/unsafe_xpath_query.py

# Unsafe: tainted form data concatenated into an XPath expression and passed
# to lxml's `tree.xpath()`.  Suffix matching on `xpath` catches the
# bound-receiver call directly.
from lxml import etree
from flask import request


def lookup():
    tree = etree.parse("users.xml")
    user = request.form["user"]
    expr = "//user[name='" + user + "']"
    return tree.xpath(expr)
new capacity bits (#67) 2026-05-07 01:29:31 -04:00			`# Unsafe: tainted form data concatenated into an XPath expression and passed`
			# to lxml's `tree.xpath()`. Suffix matching on `xpath` catches the
			`# bound-receiver call directly.`
			`from lxml import etree`
			`from flask import request`


			`def lookup():`
			`tree = etree.parse("users.xml")`
			`user = request.form["user"]`
			`expr = "//user[name='" + user + "']"`
			`return tree.xpath(expr)`