
XPath injection issues are severely underrated - orf
https://tomforb.es/xcat-1.0-released-or-xpath-injection-issues-are-severely-underrated/
======
jimsmart
The points made are all valid, but in all of the times I’ve used XPath, the
XPath side of things has been inside the code that we control - I’ve never
encountered a use case where the XPath comes from an external source / is
provided by the user (except on websites for experimenting with XPath
queries).

