Re: [xsl] Can an XSLT document invoke arbitrary extension functions?

Subject: Re: [xsl] Can an XSLT document invoke arbitrary extension functions?
From: "G. Ken Holman" <gkholman@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 26 Oct 2009 16:53:07 -0400
At 2009-10-26 16:40 -0400, Costello, Roger L. wrote:
Below is an XSLT transform that - supposedly - opens a DOS command prompt. I saw the XSLT transform in this [1] briefing (slide 132). I ran it. It doesn't work; it just produces an error.

Right, because you haven't asked the XSLT processor if it supports the "getRuntime()" function in the given namespace. If you try invoking a function that does not exist, the specification states it is an error:
  "If such an extension function occurs in an expression and the extension
   function is actually called, the XSLT processor must signal an error."

The way you check is with the function-available() function:

1. Should the below XSLT Transform work? (i.e. is there simply a minor bug in it, that when fixed, would make it operate as desired?)

The semantics of extension functions are up to the definition and how it is supported by the processor. It looks like a processor that supports what you have would work, but how many processors support it?

2. Is there any control over the set of extension functions provided by XSLT processors?

"control"? An XSLT processor has a set of extension functions or it doesn't. If the processor offers at invocation time the ability to turn on or off functions, then I suppose one could then "control" what extension functions are available in an environment invoked for arbitrary stylesheets.

3. How do you respond to the briefing's suggestions that XSLT is riddled with security leaks? (I realize this is a broad question; any thoughts you have would be appreciated)

There is *nothing* that I know of in the standard XSLT specification that gives an outside program control. What any particular processor offers to stylesheets by way of extensions is up to the processor and is outside the definition of the specification.

So, I would say that XSLT has zero security issues but XSLT processors (like any other application) may have their own problems if they implement anything beyond the standard definition.

I think it is unfair to criticize the specification as unsafe when safe implementations of the specification can be written. A processor is not required to support any extension at all. I would think processor writers could offer a "safe mode" if this was a concern for their users.

I hope this helps.

. . . . . . . . . . Ken

-- Upcoming: hands-on XSLT, XQuery and XSL-FO Washington DC Nov 2009 Interested in other classes? Crane Softwrights Ltd. Training tools: Comprehensive interactive XSLT/XPath 1.0/2.0 video Video lesson: Video overview: G. Ken Holman mailto:gkholman@xxxxxxxxxxxxxxxxxxxx Male Cancer Awareness Nov'07 Legal business disclaimers:

Current Thread