XPath is prone to injection attacks due to the following features:

  • doc() and json-doc() read XML and JSON from local files or the network and let you join on them.
  • unparsed-text() reads plain text files from the network or local files and dumps their content.
  • environment-variable() lists and reads shell environment variables (a good reason not to put secrets there).