XML Injection
Also Known As
XML injection attack
XML data injection
TL;DR
Unsanitised user input injected into XML documents alters their structure, potentially corrupting data or enabling further attacks.
Explanation
XML injection occurs when user-controlled data is embedded in XML without proper escaping, allowing attackers to insert new elements, attributes, or entire document fragments. In SOAP services and XML configuration files this can alter application logic, inject malicious instructions, or escalate to XXE if the parser resolves external entities. Mitigate by using XML libraries that build documents programmatically rather than via string concatenation, and by encoding user data with htmlspecialchars() or dedicated XML-escaping functions.
How It's Exploited
name = </name><role>admin</role><name>x
# Injects an extra <role>admin</role> node into the XML document
# Injects an extra <role>admin</role> node into the XML document
Common Misconception
✗ XML injection is the same as XXE. XML injection manipulates the data content and structure of an XML document. XXE specifically exploits external entity references to read files or trigger SSRF — they are related but distinct attack classes.
Why It Matters
Injecting XML special characters into a document structure can add, modify, or duplicate elements — altering business logic, adding unauthorised users, or escaping intended data context.
Common Mistakes
- Building XML documents by string concatenation with user input instead of using DOMDocument.
- Not escaping <, >, &, ', " in values placed into XML — any of these can break structure.
- Trusting that XML user input is safe after HTML encoding — the escaping contexts differ.
- Adding user input to XML attributes without quoting and escaping the attribute delimiter.
Avoid When
- Never construct XML by string concatenation with user-supplied values.
- Do not assume XML output is safe because the input was validated — encoding must happen at output time.
When To Use
- Escape all user input with htmlspecialchars() or an XML-aware encoder before embedding in XML documents.
- Use DOMDocument to build XML programmatically — never concatenate user input into XML strings.
Code Examples
✗ Vulnerable
// User input concatenated into XML — injects nodes
\$xml = "<user><name>\$name</name></user>";
// name = </name></user><admin>true</admin><name>x
✓ Fixed
// Use DOM API — escaping is automatic
\$doc = new DOMDocument();
\$user = \$doc->createElement('user');
\$elem = \$doc->createElement('name');
\$elem->appendChild(\$doc->createTextNode(\$userInput)); // auto-escaped
\$user->appendChild(\$elem);
\$doc->appendChild(\$user);
echo \$doc->saveXML();
// Or escape manually for XML context:
\$safe = htmlspecialchars(\$userInput, ENT_XML1 | ENT_QUOTES, 'UTF-8');Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
31 Mar 2026
Views
18
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
Amazonbot 7
Unknown AI 3
Perplexity 2
ChatGPT 2
Ahrefs 1
Google 1
Also referenced
How they use it
crawler 13
crawler_json 2
pre-tracking 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: Medium
⚡ Quick Fix
Use DOMDocument->createTextNode() to safely insert user input into XML — never concatenate user input into XML strings; validate XML structure with a schema (XSD) before processing
📦 Applies To
PHP 5.0+
web
api
🔗 Prerequisites
🔍 Detection Hints
User input concatenated into XML string; no DOMDocument createTextNode for user content; XML not validated against schema
Auto-detectable:
✓ Yes
semgrep
psalm
⚠ Related Problems
🤖 AI Agent
Confidence: High
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: Function
Tests: Update
CWE-91
CWE-611