apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

new capacity bits (#67)

Browse source
This commit is contained in:
Eli Peter 2026-05-07 01:29:31 -04:00 committed by GitHub
parent afaffc0df6
commit 7d0e7320e2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
261 changed files with 10591 additions and 231 deletions
Download patch file Download diff file Expand all files Collapse all files

23
tests/fixtures/xpath_injection/java/SafeXPathQuery.java vendored Normal file
View file

@ -0,0 +1,23 @@
// Safe: user-supplied substring routed through the project-local
// `escapeXpath` helper before being concatenated into the XPath expression.
// The sanitizer clears the XPATH_INJECTION cap so the sink does not fire.
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import javax.servlet.http.HttpServletRequest;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
public class SafeXPathQuery {
public static String escapeXpath(String raw) {
return raw.replace("'", "'");
}
public NodeList lookup(HttpServletRequest req, Document doc) throws Exception {
String user = req.getParameter("user");
String safe = escapeXpath(user);
String expr = "//user[name='" + safe + "']";
XPath xpath = XPathFactory.newInstance().newXPath();
return (NodeList) xpath.evaluate(expr, doc, XPathConstants.NODESET);
}
}