XPath injection threat detected

Rule ID: php_lang_xpath_injection
Languages: php
Source: xpath_injection.yml

Description

Using unsanitized input in an XPath expression could lead to XPath injection if variables are not properly sanitized. XPath injection could lead to unauthorized access to sensitive information in XML documents.

Remediations

❌ Avoid using user input in XPath expressions

✅ Sanitize user input when it must be included


## References
- [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection)

Associated CWE

CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

OWASP Top 10

A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_xpath_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_xpath_injection

Ready to take the next step? Learn more about Bearer Cloud.