Menu
▾
▴
#48 Allow text-literal variables to avoid injection attacks
At present, there is no means to substitute literal text into the query component of an "xmlstarlet ed" command which is immune to injection. Consider, as an example:
xmlstarlet ed \ --var key '"Application/Foo" or 1=1' \ -u '//name[.=$key]/following-sibling::value[1]' \ -v 'bar'
Because the literal string in $key can contain content which is interpreted as XPath text ("or 1=1"), it's able to match all name elements, as opposed to only those containing strings matching a specific known value.
A --string-var alternative to --var, which passes the value given as a literal string, would be an effective way to address this need.
