Potential fix for code scanning alert no. 15: XPath injection

[whsalazar]

Potential fix for https://github.com/whsalazar-org/WebGoat.NET/security/code-scanning/15

To fix the XPath injection vulnerability in this code, we must avoid direct concatenation of user input into the XPath query. The recommended approach is to use a precompiled XPath expression with a variable reference, and substitute the untrusted user input via a custom context and variable binding, as described in the guideline.

Specifically, in FindSalesPerson, replace the dynamic XPath string construction ("//salesperson[state='" + state + "']") with a hardcoded XPath string containing a variable (e.g. $state). Use the XPathNavigator API to create an XPathExpression with that query, and set up an XsltContext that can resolve the $state variable based on user input by using an XsltArgumentList. This requires minor structural changes:

• Use XPathNavigator instead of XmlNodeList retrieval (since variables are only supported via XPathNavigator and XPathExpression).
• Set up the correct context for variable resolution.
• Define and use the custom XsltContext or reuse .NET’s System.Xml.Xsl.XsltContext.
• Add new using statements for System.Xml.Xsl if not already present.

All changes should be limited to FindSalesPerson in WebGoat/Content/XPathInjection.aspx.cs.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.