Example #1
0
        /**
         * Saxon: Safe when Whitelisting on XQuery Expression Example
         * Proves that Saxon is safe from injection when whitelisting the XQuery expression
         */
        protected void Page_Load(object sender, EventArgs e)
        {
            bool expectedSafe = false;

            try
            {
                // parse the XML
                Processor       processor = new Processor(false);
                DocumentBuilder doc       = processor.newDocumentBuilder();
                XdmNode         node      = doc.build(new StreamSource(appPath + "/resources/students.xml"));

                // query the XML
                string query;
                if (Request.QueryString["payload"].Contains("\"") || Request.QueryString["payload"].Contains(";"))
                {
                    PrintResults(expectedSafe, new List <string>());
                    throw new InvalidParameterException("First Name parameter must not contain quotes or semicolons");
                }
                else
                {
                    query = "for $s in //Students/Student " +
                            "where $s/FirstName = \"" + Request.QueryString["payload"] + "\" " +
                            "return $s";    // safe in here!
                }
                XQueryCompiler   xqComp = processor.newXQueryCompiler();
                XQueryExecutable xqExec = xqComp.compile(query);
                XQueryEvaluator  xqEval = xqExec.load();
                xqEval.setContextItem(node);
                xqEval.evaluate();

                // interpret the result of the query
                List <string> resultList = new List <string>();
                foreach (XdmValue value in xqEval)
                {
                    resultList.Add(value.ToString());
                }

                // print the results on the query
                PrintResults(expectedSafe, resultList);
            }
            catch (Exception ex)
            {
                Response.Write(ex.ToString());
            }
        }
Example #2
0
        /**
         * Saxon: Safe when Using Bind Variables on XQuery Expression Example
         * Proves that Saxon is safe from injection when using bind variables on the XQuery expression
         */
        protected void Page_Load(object sender, EventArgs e)
        {
            bool expectedSafe = true;

            try
            {
                // parse the XML
                Processor       processor = new Processor(false);
                DocumentBuilder doc       = processor.newDocumentBuilder();
                XdmNode         node      = doc.build(new StreamSource(appPath + "/resources/students.xml"));

                // query the XML
                string query = "declare variable $name as xs:string external; " +
                               "for $s in //Students/Student " +
                               "where $s/FirstName = $name " +
                               "return $s";   // safe!
                XQueryCompiler   xqComp = processor.newXQueryCompiler();
                XQueryExecutable xqExec = xqComp.compile(query);
                XQueryEvaluator  xqEval = xqExec.load();
                xqEval.setContextItem(node);
                xqEval.setExternalVariable(new QName("name"), new XdmAtomicValue(Request.QueryString["payload"]));
                xqEval.evaluate();

                // interpret the result of the query
                List <string> resultList = new List <string>();
                foreach (XdmValue value in xqEval)
                {
                    resultList.Add(value.ToString());
                }

                // print the results on the query
                PrintResults(expectedSafe, resultList);
            }
            catch (Exception ex)
            {
                Response.Write(ex.ToString());
            }
        }