RE: [xsl] Saxon Servlet XSLT Version 2.0 Implementation Problem

Subject: RE: [xsl] Saxon Servlet XSLT Version 2.0 Implementation Problem
From: "Michael Kay" <mhk@xxxxxxxxx>
Date: Sun, 1 Jun 2003 21:58:25 +0100
The most likely explanation is that you are actually running Saxon 6.x
rather than Saxon 7.x, as Saxon 6.x will reject the XSLT 2.0 syntax. Use
system-property('xsl:vendor') to check what you are running.

The Saxon sample servlet code will actually run whichever XSLT processor
is selected using the system property
javax.xml.transform.TransformerFactory. I often find that it's
convenient to hard-code the setting of this property using
System.setProperty() in the init() method of the servlet; in other cases
I read the desired property value from the init parameters of the
servlet. Relying on the classpath tends to be a bit fragile.

>
> PS  Also, some people have mentioned that implementing the 
> servlet can be a security risk because people can execute 
> their own xslt using it... possibly, with evil xslt extension 
> functions that eMail rude mail and wipe the server hard 
> drive, does anyone know of an easy way to protect against this?

It's a good idea to either (a) set the Saxon property that disables
extension functions, or (b) disallow the use of arbitrary URLs for the
stylesheet.

Michael Kay


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list


Current Thread