|
Subject: RE: [xsl] The evaluate function From: "Michael Kay" <michael.h.kay@xxxxxxxxxxxx> Date: Thu, 3 Jan 2002 18:06:03 -0000 |
> Apart from all the issues mentioned by Mr.Kay, an eval()
> function makes it rather easy to open security holes in
> a style sheet.
> For example, once you figured out you can put a XPath into
> the nice "Enter your query here" field which is passed
> directly to an eval() function, what will stop you from
> entering
> document("file:///C/Documents and
> Settings/Administrator/preferences.xml")?
> :-)
> Or, if extension functions may be called indiscriminately:
> mswin:delete("C:\*.*","recursive")
>
I don't think you should rely on static analysis to stop stylesheets
performing mischief.
The latest Saxon releases have a switch allowing extension functions to be
disabled, so you can run untrusted stylesheets safely in a servlet
environment. It's then up to the web server to control what URLs are
accessible.
Mike Kay
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
| Current Thread |
|---|
|
| <- Previous | Index | Next -> |
|---|---|---|
| RE: [xsl] The evaluate function, Joerg Pietschmann | Thread | RE: [xsl] The evaluate function, Brinkman, Theodore |
| RE: [xsl] The evaluate function, Brinkman, Theodore | Date | [xsl] Postional predicates de-mysti, Evan Lenz |
| Month |