mirror of
https://github.com/github/codeql.git
synced 2025-12-17 17:23:36 +01:00
14 lines
390 B
JavaScript
14 lines
390 B
JavaScript
const express = require('express');
|
|
const xpath = require('xpath');
|
|
const app = express();
|
|
|
|
app.get('/some/route', function(req, res) {
|
|
let userName = req.param("userName");
|
|
|
|
// BAD: Use user-provided data directly in an XPath expression
|
|
let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()");
|
|
badXPathExpr.select({
|
|
node: root
|
|
});
|
|
});
|