From a59cca6e17cc7b41a9b78b702702f76c34eeddc4 Mon Sep 17 00:00:00 2001
From: arjanth <70694343+arjanth@users.noreply.github.com>
Date: Sun, 14 Dec 2025 20:24:50 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 10: XPath injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 WebGoat/Content/XPathInjection.aspx.cs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/WebGoat/Content/XPathInjection.aspx.cs b/WebGoat/Content/XPathInjection.aspx.cs
index 3c03c6e..81bae44 100644
--- a/WebGoat/Content/XPathInjection.aspx.cs
+++ b/WebGoat/Content/XPathInjection.aspx.cs
@@ -6,6 +6,7 @@
 using System.Web.UI.WebControls;
 using System.Xml;
 using System.Xml.XPath;
+using System.Text.RegularExpressions;
 
 namespace OWASP.WebGoat.NET
 {
@@ -23,9 +24,15 @@ protected void Page_Load(object sender, EventArgs e)
 
         private void FindSalesPerson(string state)
         {
+            // Accept only alphabetic 2-letter abbreviations for state (e.g., "ny", "ca")
+            if (string.IsNullOrEmpty(state) || !System.Text.RegularExpressions.Regex.IsMatch(state, "^[a-zA-Z]{2}$"))
+            {
+                // Invalid state input, do not proceed or handle accordingly
+                return;
+            }
             XmlDocument xDoc = new XmlDocument();
             xDoc.LoadXml(xml);
-            XmlNodeList list = xDoc.SelectNodes("//salesperson[state='" + state + "']");
+            XmlNodeList list = xDoc.SelectNodes("//salesperson[state='" + state.ToLower() + "']");
             if (list.Count > 0)
             {