RE: [xsl] The evaluate function

Subject: RE: [xsl] The evaluate function
From: Joerg Pietschmann <joerg.pietschmann@xxxxxx>
Date: Thu, 03 Jan 2002 18:20:02 +0100

Apart from all the issues mentioned by Mr.Kay, an eval()
function makes it rather easy to open security holes in
a style sheet.
For example, once you figured out you can put a XPath into
the nice "Enter your query here" field which is passed
directly to an eval() function, what will stop you from
entering
 document("file:///C/Documents and Settings/Administrator/preferences.xml")?
 :-)
Or, if extension functions may be called indiscriminately:
 mswin:delete("C:\*.*","recursive")

Regards
J.Pietschmann

 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list

Current Thread
RE: [xsl] The evaluate function, (continued) Evan Lenz - Thu, 3 Jan 2002 11:57:02 -0800 Jeni Tennison - Fri, 4 Jan 2002 11:11:19 +0000 Mark Feblowitz - Wed, 2 Jan 2002 18:46:03 -0500 Evan Lenz - Thu, 3 Jan 2002 11:43:01 -0800 Joerg Pietschmann - Thu, 03 Jan 2002 18:20:02 +0100 <= Michael Kay - Thu, 3 Jan 2002 18:06:03 -0000 Brinkman, Theodore - Thu, 3 Jan 2002 12:27:04 -0500 Matt G. - Fri, 04 Jan 2002 01:43:20 Joerg Pietschmann - Tue, 08 Jan 2002 14:16:05 +0100

Current Thread

RE: [xsl] The evaluate function, (continued)
- Mark Feblowitz - Wed, 2 Jan 2002 18:46:03 -0500
  - Evan Lenz - Thu, 3 Jan 2002 11:43:01 -0800
- Joerg Pietschmann - Thu, 03 Jan 2002 18:20:02 +0100 <=
  - Michael Kay - Thu, 3 Jan 2002 18:06:03 -0000
- Brinkman, Theodore - Thu, 3 Jan 2002 12:27:04 -0500
- Matt G. - Fri, 04 Jan 2002 01:43:20
- Joerg Pietschmann - Tue, 08 Jan 2002 14:16:05 +0100

<- Previous	Index	Next ->
RE: [xsl] The evaluate function, Evan Lenz	Thread	RE: [xsl] The evaluate function, Michael Kay
[xsl] leading : on qnames, David Carlisle	Date	[xsl] Hopefully not a terribly sill, Morgan Goeller
	Month

<-prev [Thread] next->	<-prev [Date] next->
Month Index \| List Home