Re: [xsl] Can an XSLT document invoke arbitrary extension functions?

Subject: Re: [xsl] Can an XSLT document invoke arbitrary extension functions?
From: Wendell Piez <wapiez@xxxxxxxxxxxxxxxx>
Date: Mon, 26 Oct 2009 18:15:12 -0400
Hi,

I scanned the slides cited and I actually found nothing to disagree with (though it's not my area of expertise). The author is clearly talking about XSLT being used for things it wasn't primarily intended for by developers who are in over their heads and haven't come to terms with what XSLT or XSLT engines can do. If this makes it a security hazard in that application context, that's not really about XSLT but about the way it's being used.

As I see it, that kind of problem actually goes with the territory of its being a powerful and capable technology, not something always to be avoided on principle.

I agree that the particular example of a Xalan extension supposedly being used to execute arbitrary code is over the top; but the argument being made in the slides doesn't actually depend on this example.

Cheers,
Wendell

At 04:40 PM 10/26/2009, Roger wrote:
Hi Folks,

Below is an XSLT transform that - supposedly - opens a DOS command prompt. I saw the XSLT transform in this [1] briefing (slide 132). I ran it. It doesn't work; it just produces an error....


======================================================================
Wendell Piez                            mailto:wapiez@xxxxxxxxxxxxxxxx
Mulberry Technologies, Inc.                http://www.mulberrytech.com
17 West Jefferson Street                    Direct Phone: 301/315-9635
Suite 207                                          Phone: 301/315-9631
Rockville, MD  20850                                 Fax: 301/315-8285
----------------------------------------------------------------------
  Mulberry Technologies: A Consultancy Specializing in SGML and XML
======================================================================

Current Thread