diff --git a/WebGoat/Content/XPathInjection.aspx.cs b/WebGoat/Content/XPathInjection.aspx.cs
index 3c03c6e..81bae44 100644
--- a/WebGoat/Content/XPathInjection.aspx.cs
+++ b/WebGoat/Content/XPathInjection.aspx.cs
@@ -6,6 +6,7 @@
 using System.Web.UI.WebControls;
 using System.Xml;
 using System.Xml.XPath;
+using System.Text.RegularExpressions;
 
 namespace OWASP.WebGoat.NET
 {
@@ -23,9 +24,15 @@ protected void Page_Load(object sender, EventArgs e)
 
         private void FindSalesPerson(string state)
         {
+            // Accept only alphabetic 2-letter abbreviations for state (e.g., "ny", "ca")
+            if (string.IsNullOrEmpty(state) || !System.Text.RegularExpressions.Regex.IsMatch(state, "^[a-zA-Z]{2}$"))
+            {
+                // Invalid state input, do not proceed or handle accordingly
+                return;
+            }
             XmlDocument xDoc = new XmlDocument();
             xDoc.LoadXml(xml);
-            XmlNodeList list = xDoc.SelectNodes("//salesperson[state='" + state + "']");
+            XmlNodeList list = xDoc.SelectNodes("//salesperson[state='" + state.ToLower() + "']");
             if (list.Count > 0)
             {