Unsanitized user input in XPath

Description

Using unsanitized input in an XPath expression could lead to XPath injection if variables are not properly sanitized. XPath injection could lead to unauthorized access to sensitive information in XML documents.

Remediations

❌ Avoid using user input in XPath expressions

✅ Sanitize user input when it must be included


## References
- [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection)


Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_xpath_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_xpath_injection