AEM - How can we prevent blind XPath injection in an AEM Page?? | Community
Skip to main content
This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

arunpatidar
Community Advisor
arunpatidarCommunity AdvisorAccepted solution
Community Advisor
March 27, 2023

Hi @maryani 
I am not 100% sure but by design XPATH and other SQL injection are prevented 

https://jackrabbit.apache.org/archive/wiki/JCR/EncodingAndEscaping_115513396.html 

https://experienceleague.adobe.com/docs/experience-cloud-kcs/kbarticles/KA-20135.html?lang=en 

Arun Patidar
    maryani
    maryaniAuthor
    Level 2
    March 27, 2023

    Thank you for the reply

      DPrakashRaj
      Community Advisor
      DPrakashRajCommunity Advisor
      Community Advisor
      April 1, 2023

      If it’s a publisher you can bock all the suffix from dispatcher by adding rule in filter section


      # Block use of all suffixes on any resource in /content
      /0160 { /type "deny" /url "/content*" /suffix "*" }

      # Suffix patterns which are needed on the server side can be added in an allow list manner
      /0161 { /type "allow" /url "/content/we-retail/us/en/equipment/*" /suffix "/content/we-retail/*" /method "GET" }

       Rule 0160 is for blocking the suffix request from by passing the dispatcher and hitting your aem publisher 

        Terms & ConditionsAccessibility statement

        Loading footer...