Subject: RE: [xsl] The evaluate function From: "Michael Kay" <michael.h.kay@xxxxxxxxxxxx> Date: Thu, 3 Jan 2002 18:06:03 -0000 |
> Apart from all the issues mentioned by Mr.Kay, an eval() > function makes it rather easy to open security holes in > a style sheet. > For example, once you figured out you can put a XPath into > the nice "Enter your query here" field which is passed > directly to an eval() function, what will stop you from > entering > document("file:///C/Documents and > Settings/Administrator/preferences.xml")? > :-) > Or, if extension functions may be called indiscriminately: > mswin:delete("C:\*.*","recursive") > I don't think you should rely on static analysis to stop stylesheets performing mischief. The latest Saxon releases have a switch allowing extension functions to be disabled, so you can run untrusted stylesheets safely in a servlet environment. It's then up to the web server to control what URLs are accessible. Mike Kay XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
RE: [xsl] The evaluate function, Joerg Pietschmann | Thread | RE: [xsl] The evaluate function, Brinkman, Theodore |
RE: [xsl] The evaluate function, Brinkman, Theodore | Date | [xsl] Postional predicates de-mysti, Evan Lenz |
Month |