Question

Prevent Xpath Injection by using Xpath constraints

2

We want to prevent Xpath injection on our application by using smart Xpath constraints on entities. What is the best practice how to use this functionality in Mendix? We already using Xpath constraints in grids and forms but want to know more how to use this on entities. Thanks.

asked 2014-01-16

Theo Swart

1 answers

Jason Braswell · Answer 1 · 2014-01-16

Entity Security is the process you are looking to enforce in your application, and it is extremely recommended by Mendix (if you consult them).

You can edit the Access Rules for each entity in its corresponding Domain Model. Select the XPath constraint tab. You can constrain entity objects to either the current user, or the owner (creator) of the object. You can use the "Path to user" button for easily setting these up.

This also works in tandem with using the "Apply entity access" flag on each Microflow. It is highly recommended that you flag all of you main microflows (not subflows or scheduled events).

Here's some more documentation for you.