Subject: Re: [xsl] XSLT 2.0: Security concerns From: Robert Koberg <rob@xxxxxxxxxx> Date: Wed, 18 Jul 2007 11:11:00 -0400 |
On Thu, 2007-07-19 at 00:25 +0900, Justin Johansson wrote: > One security concern is that someone may enter XPath code contain the > document function and > access (read) files on the server which are not for public consumption. > The solution to this is > to check the submitted code and disallow any transform containing the the > document() function. Use a custom URIResolver that works for both the import/includes and the document function. > > Another concern is that someone might try to submit a stylesheet containing > Java extensions > and attempt to something really nasty. To this end, the submitted code is > restricted to being > just the body of an XSL stylesheet .. i.e. the server will wrap the code in > an xsl:stylesheet > element. Saxon has a property where you can disable extensions > Do people have any advice on whether there are any other security concerns > to be aware of? yes - result-document. I believe Saxon has a way for you to write a resolver so that result document output can be controlled (haven't done it). Maybe turn off your XML parser's XInclude, Schema, DTD handling best, -Rob
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: [xsl] XSLT 2.0: Security concer, David Carlisle | Thread | Re: [xsl] XSLT 2.0: Security concer, Justin Johansson |
Re: [xsl] XSLT 2.0: Security concer, David Carlisle | Date | [xsl] XSLT 2.0: Character Output I, Sam Byland |
Month |