RE: [xsl] The evaluate function

Subject: RE: [xsl] The evaluate function
From: Joerg Pietschmann <joerg.pietschmann@xxxxxx>
Date: Thu, 03 Jan 2002 18:20:02 +0100
Apart from all the issues mentioned by Mr.Kay, an eval()
function makes it rather easy to open security holes in
a style sheet.
For example, once you figured out you can put a XPath into
the nice "Enter your query here" field which is passed
directly to an eval() function, what will stop you from
 document("file:///C/Documents and Settings/Administrator/preferences.xml")?
Or, if extension functions may be called indiscriminately:


 XSL-List info and archive:

Current Thread