This script is possibly vulnerable to XPath Injection attacks.
XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input. XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that they may not normally have access to.
Your script should filter metacharacters from user input.