Re: [xsl] XSLT 2.0: Security concerns

Subject: Re: [xsl] XSLT 2.0: Security concerns
From: Justin Johansson <procode@xxxxxxxxxx>
Date: Thu, 19 Jul 2007 01:08:46 +0900
Thanks Rob & Dav for that.   Since joining the list today, I have found people
fabulously helpful.  I hope my questions have been reasonably interesting
to all.

Just about the last security issue I can think of is, and probably not for
this list ...

If I have to kill a long running transform by terminating the (Java)
thread, there
may be a memory leak (I'm using the deprecated thread stop() function) and
consequently could be vulnerable to a DOS attack and/or may have to restart
the Tomcat server.


>> Do people have any advice on whether there are any other security concerns
>> to be aware of?
>yes - result-document. I believe Saxon has a way for you to write a
>resolver so that result document output can be controlled (haven't done
>Maybe turn off your XML parser's XInclude, Schema, DTD handling

>You might want to set ALLOW_EXTERNAL_FUNCTIONS to false,

Justin Johansson
Freelance XML / XSLT / XQuery Developer


Current Thread