Subject: RE: [xsl] The evaluate function From: "Brinkman, Theodore" <Theodore.Brinkman@xxxxxxxxxxxxxxxxxxxx> Date: Thu, 3 Jan 2002 12:27:04 -0500 |
The same thing that prevents the same situation in ASP, Perl, or PHP based web applications. Developer intelligence sufficient to realize that you check EVERYTHING you get from the client before acting upon it. - Theo -----Original Message----- From: Joerg Pietschmann [mailto:joerg.pietschmann@xxxxxx] Sent: Thursday, January 03, 2002 12:20 PM To: XSL List Subject: RE: [xsl] The evaluate function Apart from all the issues mentioned by Mr.Kay, an eval() function makes it rather easy to open security holes in a style sheet. For example, once you figured out you can put a XPath into the nice "Enter your query here" field which is passed directly to an eval() function, what will stop you from entering document("file:///C/Documents and Settings/Administrator/preferences.xml")? :-) Or, if extension functions may be called indiscriminately: mswin:delete("C:\*.*","recursive") Regards J.Pietschmann XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
RE: [xsl] The evaluate function, Michael Kay | Thread | RE: [xsl] The evaluate function, Matt G. |
Re: [xsl] Re: Re: Assignment no, dy, Wendell Piez | Date | RE: [xsl] The evaluate function, Michael Kay |
Month |