Skip to main content

XPath Injection Vulnerability


Prevent unauthorized data access through XPath Injection


  • Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
  • Usage of sweet_xml for parsing and manipulating XML data
  • Usage of XML data manipulation


Non compliant code

def vulnerable(user_input) do
{:ok, doc} ='data.xml')
xpath = "//user[username/text() = '" <> user_input <> "']"
SweetXml.xpath(doc, xpath)

The code is vulnerable because it takes a user-provided value (user_input) directly to construct an XPath expression. An attacker could exploit this to modify the XPath query and potentially access sensitive information.


  • Upgrade to the latest version of Elixir and the sweet_xml library if not done already
  • Always sanitize user-provided input before using in XPath expressions
  • Use parameterized queries instead of string concatenation to build XPath expressions

Compliant code

def secure(user_input) do
{:ok, doc} ='data.xml')
sanitized_input = String.replace(user_input, "'", "''")
xpath = "//user[username/text() = '" <> sanitized_input <> "']"
SweetXml.xpath(doc, xpath)

This code is safe because it sanitizes the user input by escaping special characters before using it in the XPath expression. It ensures that the user input is treated as literal text, not part of the XPath expression, preventing injection attacks.