mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
17 lines
443 B
Ruby
17 lines
443 B
Ruby
|
# Safe: user-supplied substring routed through the project-local
|
||
|
|
# `escape_xpath` helper before interpolation. The sanitizer clears
|
||
|
|
# XPATH_INJECTION so the sink does not fire.
|
||
|
|
require 'nokogiri'
|
||
|
|
|
||
|
|
def escape_xpath(raw)
|
||
|
|
raw.gsub("'", ''').gsub('"', '"')
|
||
|
|
end
|
||
|
|
|
||
|
|
def lookup(params)
|
||
|
|
doc = Nokogiri::XML(File.read("users.xml"))
|
||
|
|
user = params[:user]
|
||
|
|
safe = escape_xpath(user)
|
||
|
|
expr = "//user[name='#{safe}']"
|
||
|
|
doc.xpath(expr)
|
||
|
|
end
|