Re: [xsl] Can an XSLT document invoke arbitrary extension functions?

Subject: Re: [xsl] Can an XSLT document invoke arbitrary extension functions?
From: Florent Georges <lists@xxxxxxxxxxxx>
Date: Mon, 26 Oct 2009 21:00:45 +0000 (GMT)
Costello, Roger L. wrote:

  Hi,

> The briefing seems to suggest that XSLT is
riddled with security
> leaks, as any XSLT transform can invoke pretty much
any
> arbitrary function (apparently including, as the below XSLT
> transform
shows, any arbitrary Windows function).

  A processor can provide such
extension functions, sure.  But
well, the same way you can do pretty weird
things in Java or any
other programming languages.  This is not a security
hole, this is
a feature you can use or not.  Of course, if you plan to execute
a
program coming from the wild wild world, you have to very carefully
disable
those features on your processor.

  Regards,

-- 
Florent Georges
http://www.fgeorges.org/

Current Thread