Re: [xsl] Can an XSLT document invoke arbitrary extension functions?
Subject: Re: [xsl] Can an XSLT document invoke arbitrary extension functions?|
From: "G. Ken Holman" <gkholman@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 26 Oct 2009 16:53:07 -0400
At 2009-10-26 16:40 -0400, Costello, Roger L. wrote:
Below is an XSLT transform that - supposedly - opens a DOS command
prompt. I saw the XSLT transform in this  briefing (slide 132). I
ran it. It doesn't work; it just produces an error.
Right, because you haven't asked the XSLT processor if it supports
the "getRuntime()" function in the given namespace. If you try
invoking a function that does not exist, the specification states it
is an error:
"If such an extension function occurs in an expression and the extension
function is actually called, the XSLT processor must signal an error."
The way you check is with the function-available() function:
1. Should the below XSLT Transform work? (i.e. is there simply a
minor bug in it, that when fixed, would make it operate as desired?)
The semantics of extension functions are up to the definition and how
it is supported by the processor. It looks like a processor that
supports what you have would work, but how many processors support it?
2. Is there any control over the set of extension functions provided
by XSLT processors?
"control"? An XSLT processor has a set of extension functions or it
doesn't. If the processor offers at invocation time the ability to
turn on or off functions, then I suppose one could then "control"
what extension functions are available in an environment invoked for
3. How do you respond to the briefing's suggestions that XSLT is
riddled with security leaks? (I realize this is a broad question;
any thoughts you have would be appreciated)
There is *nothing* that I know of in the standard XSLT specification
that gives an outside program control. What any particular processor
offers to stylesheets by way of extensions is up to the processor and
is outside the definition of the specification.
So, I would say that XSLT has zero security issues but XSLT
processors (like any other application) may have their own problems
if they implement anything beyond the standard definition.
I think it is unfair to criticize the specification as unsafe when
safe implementations of the specification can be written. A
processor is not required to support any extension at all. I would
think processor writers could offer a "safe mode" if this was a
concern for their users.
I hope this helps.
. . . . . . . . . . Ken
Upcoming: hands-on XSLT, XQuery and XSL-FO Washington DC Nov 2009
Interested in other classes? http://www.CraneSoftwrights.com/s/i/
Crane Softwrights Ltd. http://www.CraneSoftwrights.com/s/
Training tools: Comprehensive interactive XSLT/XPath 1.0/2.0 video
Video lesson: http://www.youtube.com/watch?v=PrNjJCh7Ppg&fmt=18
Video overview: http://www.youtube.com/watch?v=VTiodiij6gE&fmt=18
G. Ken Holman mailto:gkholman@xxxxxxxxxxxxxxxxxxxx
Male Cancer Awareness Nov'07 http://www.CraneSoftwrights.com/s/bc
Legal business disclaimers: http://www.CraneSoftwrights.com/legal