HP强化扫描显示Xpath Injection问题,如下所示
string repositoryID = Request.QueryString[repositoryIDKey];
XmlDocument fullTreeviewMarkup = new SafeXmlDocument().LoadDocument(GetTreeViewMarkupFromSessionStore(sourceGuid));
XmlNode repositoryNode = fullTreeviewMarkup.SelectSingleNode( String.Format( "/root/TreeViewNode/TreeViewNode[@Value=\"{0}\"]", repositoryID ) );
如何解决Xpath注入问题。这里repositoryID是System.GUID。如何验证repositoryID是GUID?
最佳答案
由于您确认repositoryID是System.Guid,所以对您的编辑如下:
Guid repositoryID;
if(Guid.TryParse(Request.QueryString[repositoryIDKey], out repositoryID))
{
XmlDocument fullTreeviewMarkup = new SafeXmlDocument().LoadDocument(GetTreeViewMarkupFromSessionStore(sourceGuid));
XmlNode repositoryNode = fullTreeviewMarkup.SelectSingleNode( String.Format( "/root/TreeViewNode/TreeViewNode[@Value=\"{0}\"]", repositoryID ) );
}
else
{
//Send Error
}