Re: [xsl] XSLT 2.0: Security concerns

Subject: Re: [xsl] XSLT 2.0: Security concerns
From: Robert Koberg <rob@xxxxxxxxxx>
Date: Wed, 18 Jul 2007 11:11:00 -0400
On Thu, 2007-07-19 at 00:25 +0900, Justin Johansson wrote:
> One security concern is that someone may enter XPath code contain the
> document function and
> access (read) files on the server which are not for public consumption.
> The solution to this is
> to check the submitted code and disallow any transform containing the the
> document() function.

Use a custom URIResolver that works for both the import/includes and the
document function.

> Another concern is that someone might try to submit a stylesheet containing
> Java extensions
> and attempt to something really nasty.  To this end, the submitted code is
> restricted to being
> just the body of an XSL stylesheet .. i.e. the server will wrap the code in
> an xsl:stylesheet
> element.

Saxon has a property where you can disable extensions

> Do people have any advice on whether there are any other security concerns
> to be aware of?

yes - result-document. I believe Saxon has a way for you to write a
resolver so that result document output can be controlled (haven't done

Maybe turn off your XML parser's XInclude, Schema, DTD handling


Current Thread