Subject: Re: [xsl] XSLT 2.0: Security concerns From: Justin Johansson <procode@xxxxxxxxxx> Date: Thu, 19 Jul 2007 01:08:46 +0900 |
Thanks Rob & Dav for that. Since joining the list today, I have found people fabulously helpful. I hope my questions have been reasonably interesting to all. Just about the last security issue I can think of is, and probably not for this list ... If I have to kill a long running transform by terminating the (Java) thread, there may be a memory leak (I'm using the deprecated thread stop() function) and consequently could be vulnerable to a DOS attack and/or may have to restart the Tomcat server. Cheers Justin >> Do people have any advice on whether there are any other security concerns >> to be aware of? > >yes - result-document. I believe Saxon has a way for you to write a >resolver so that result document output can be controlled (haven't done >it). > >Maybe turn off your XML parser's XInclude, Schema, DTD handling > >best, >-Rob >You might want to set ALLOW_EXTERNAL_FUNCTIONS to false, >see http://www.saxonica.com/documentation/using-xsl/embedding.html >Dav Justin Johansson Freelance XML / XSLT / XQuery Developer Australia procode(at)tpg(dot)com(dot)au
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: [xsl] XSLT 2.0: Security concer, Robert Koberg | Thread | RE: [xsl] XSLT 2.0: Security concer, Michael Kay |
Re: [xsl] XSLT 2.0: Character Outp, Martin Honnen | Date | Re: [xsl] XSLT 2.0: Character Outp, Justin Johansson |
Month |