Unsanitized user input in XPath


Using unsanitized user input in XPath expressions can lead to XPath injection, whereby attackers can gain unauthorized access to sensitive information in XML documents. Ensure all variables passed into XPath evaluate or compile commands are properly sanitized.


  • Do sanitize user input before incorporating it into XPath queries. This prevents XPath injection by ensuring that input values cannot manipulate the query structure.
    public class Cls extends HttpServlet
    public void handleRequest(HttpServletRequest request, HttpServletResponse response)
    String userID = request.getParameter("userID");
    String sanitizedUserID = sanitize(userID); // Ensure sanitization

    javax.xml.xpath.XPathFactory xpf = javax.xml.xpath.XPathFactory.newInstance();
    javax.xml.xpath.XPath xp = xpf.newXPath();

    String expression = "/Users/User[@userID='" + sanitizedUserID + "']";
    String result = xp.evaluate(expression, xmlDocument);
  • Do not directly concatenate or embed unsanitized user inputs into XPath expressions. This practice can lead to XPath injection vulnerabilities.


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_xpath_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_xpath_injection