Subject: RE: Fw: Signing of XSL scripts From: "John Dreystadt" <jdreysta@xxxxxxxxxxxxx> Date: Fri, 29 May 1998 18:18:17 -0400 |
I agree that the core language has no system functions. The issue is what objects are defined. ECMAScript expects a "host" object to exist. I assume this name was chosen because this is the representation of the application "hosting" the script. I can easily imagine someone wanting to implement an escape to an external application for complex processing. How about queries to an external database? I hope that nobody implements something dangerous but I am concerned that a naive implementor might just pull some pieces off the shelf and expose users to risks without proper consideration while trying to satisfy a perceived need for escapes to external applications. John Dreystadt > -----Original Message----- > From: owner-xsl-list@xxxxxxxxxxxxxxxx > [mailto:owner-xsl-list@xxxxxxxxxxxxxxxx]On Behalf Of Paul Prescod > Sent: Friday, May 29, 1998 10:01 AM > To: xsl-list@xxxxxxxxxxxxxxxx > Subject: Re: Fw: Signing of XSL scripts > > > John Dreystadt wrote: > > > > An alternative direction for secure scripting is the model > adopted by > > the TCL community. They use "SafeTCL" which is a variation > on the usual > > TCL interpreter. SafeTCL has the dangerous components removed or > > restricted. > > ECMAScript is already safe. If I recall correctly, the core > language has > no system functions at all. Only extensions could provide > access to system > resources. > > > I believe that we should start by examining what web browsers allow > > ECMAScript to do, determine what needs to be added for XSL (maybe > > nothing) and then determine how to add the new functionality safely. > > The things to be added have nothing to do with files, hard > disks, dialog > boxes or other system resources. You would have to work hard > to add them > in a non-safe manner. > > Paul Prescod - http://itrc.uwaterloo.ca/~papresco > > Three things never trust in: That's the vendor's final bill > The promises your boss makes, and the customer's good will > http://www.geezjan.org/humor/computers/threes.html > > > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: Fw: Signing of XSL scripts, Paul Prescod | Thread | Re: Fw: Signing of XSL scripts, Paul Prescod |
Re: Fw: Signing of XSL scripts, Martin Bryan | Date | RE: Fw: Signing of XSL scripts, Boris Moore |
Month |