Subject: Re: [xsl] XSLT programs that blur the distinction between program and data? From: "Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Date: Tue, 12 Apr 2022 13:27:35 -0000 |
Hi, And on the flip side, using an XSLT-based process to extract meaningful information from a docx source is a nice way to read and understand its contents (to some definition of "contents") without risk of executing embedded macros ... a Word document is a program and XSLT offers a way to get the data out of it -- maybe mapping it into another program such as an HTML page with embedded Javascript. Caveat executor, indeed. Cheers, Wendell -----Original Message----- From: Michael Kay mike@xxxxxxxxxxxx <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Sent: Sunday, April 10, 2022 6:14 AM To: xsl-list <xsl-list@xxxxxxxxxxxxxxxxxxxxxx> Subject: Re: [xsl] XSLT programs that blur the distinction between program and data? > > In general, any interpreter treats its data as "the program" ... > > Needless to say using <xsl:evaluate> in unrestricted ways could be a significant security risk, > Indeed. And I've certainly seen (and written) real applications in which xsl:evaluate (or equivalent) was used to evaluate XPath expressions read from cells in Excel spreadsheets. The operating system has no idea this is going on, so the distinction between read permission and execute permission is meaningless. Michael Kay Saxonica
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: [xsl] XSLT programs that blur t, Michael Kay mike@xxx | Thread | Re: [xsl] XSLT programs that blur t, Liam R. E. Quin liam |
Re: [xsl] How to circumvent read-on, Dimitre Novatchev dn | Date | [xsl] How do you prove that your XS, Roger L Costello cos |
Month |