Subject: [xsl] xsl 1.1 security model? From: Francis Norton <francis@xxxxxxxxxxx> Date: Wed, 21 Mar 2001 19:05:20 +0000 |
There's an interesting problem with xslt 1.1 client-side security. Two of the main features are the document and script elements. I think that the spec should say something about user-agents having the ability to disable xsl:script (for anything except XSLT, of course). And I think we should consider the implications of a non-script feature which allows the transform to [a] write, say, a destructive shell file to disk, and [b] update startup.cmd or whatever so that the file gets called next time the machine reboots. >From a security point of view, I want to treat XML files as data not code. I particularly don't want justifiably paranoid firewall admins all over the net blocking *.xsl? files at the http, ftp and email firewalls. Perhaps we could we discuss which features should be enabled by default, and whether they should be by default disabled for automatically invoked stylesheets from external machines, or from any machine, or what? Francis. XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
RE: [xsl] [XSLT] [Q] Recursion Ques, Michael Kay | Thread | RE: [xsl] xsl 1.1 security model?, Michael Kay |
RE: [xsl] [XSLT] [Q] Recursion Ques, Chris Bayes | Date | Re: [xsl] [XSLT] [Q] Recursion Ques, Francis Norton |
Month |