Subject: RE: [xsl] The evaluate function From: Joerg Pietschmann <joerg.pietschmann@xxxxxx> Date: Thu, 03 Jan 2002 18:20:02 +0100 |
Apart from all the issues mentioned by Mr.Kay, an eval() function makes it rather easy to open security holes in a style sheet. For example, once you figured out you can put a XPath into the nice "Enter your query here" field which is passed directly to an eval() function, what will stop you from entering document("file:///C/Documents and Settings/Administrator/preferences.xml")? :-) Or, if extension functions may be called indiscriminately: mswin:delete("C:\*.*","recursive") Regards J.Pietschmann XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
RE: [xsl] The evaluate function, Evan Lenz | Thread | RE: [xsl] The evaluate function, Michael Kay |
[xsl] leading : on qnames, David Carlisle | Date | [xsl] Hopefully not a terribly sill, Morgan Goeller |
Month |