Executing XPATH expressions is security-sensitive. It has led in the past to the following vulnerabilities:
User provided data such as URL parameters should always be considered as untrusted and tainted. Constructing XPath expressions directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the expression itself. Successful XPath injections attacks can read sensitive information from the XML document.
You are at risk if you answered yes to this question.
Sanitize any user input before using it in an XPATH expression.
function evaluate_xpath($doc, $xpathstring, $xmlstring)
{
$xpath = new DOMXpath($doc);
$xpath->query($xpathstring); // Questionable
$xpath->evaluate($xpathstring); // Questionable
// There is no risk if the xpath is hardcoded
$xpath->query("/users/user[@name='alice']"); // Compliant
$xpath->evaluate("/users/user[@name='alice']"); // Compliant
// An issue will also be created if the SimpleXMLElement is created
// by simplexml_load_file, simplexml_load_string or simplexml_import_dom
$xml = new SimpleXMLElement($doc);
$xml->xpath($xpathstring); // Questionable
// There is no risk if the xpath is hardcoded
$xml->xpath("/users/user[@name='alice']"); // Compliant
}