Subject: Re: [xsl] Allowing users to upload XSLT From: "bryan rasmussen" <rasmussen.bryan@xxxxxxxxx> Date: Thu, 26 Jul 2007 09:58:16 +0200 |
For an initial comment, the same security restrictions that apply to GRDDL http://www.w3.org/2001/sw/grddl-wg/
1. use of document function - can be used to read local files that you might not want accessible.
2. use of extension functions in your processor that can run other type of code - example msxsl script - but you don't have that problem
3. maybe XML security problems, stuff like external entities http://www.securiteam.com/securitynews/6D0100A5PU.html I would suppose libxml handles this well though, but have not done research on matter.
By the way I need to sort of do the same thing in a project I am building. Would you like to discuss this further? I'm going to be offline for the next couple weeks starting tonight so if you say yes tomorrow I can't reply for a bit :)
Cheers, Bryan Rasmussen
I was wondering if there were any security considerations with allowing users to upload their own XSLT? I'm using libxsl which seems to guard against infinite loops etc.. but i was unsure if there were other things which I should consider from a security pov.
thanks in advance Andrew
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
[xsl] Allowing users to upload XSLT, Andrew Mason | Thread | Re: [xsl] Allowing users to upload , Abel Braaksma |
Re: [xsl] Open sourcing XSLT stuff, Andrew Mason | Date | Re: [xsl] Shorthand., Abel Braaksma |
Month |