Subject: [xsl] XSLT3.0: Question about shadow attributes and the possibility to supply value to a static parameter From: "Dimitre Novatchev dnovatchev@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Date: Fri, 21 Nov 2014 06:37:07 -0000 |
In section 3.14.2 "Shadow Attributes" the 2nd example: "Example: Using Shadow Attributes to Parameterize Selection of Elements", shows how to produce a report giving information about selected employees. The predicate defining which employees are to be included in the report is supplied (as a string containing an XPath expression) in a static stylesheet parameter. A note at the end of the example contains this text: "The stylesheet function local:filter is used here in preference to direct use of the supplied predicate within the select attribute of the xsl:apply-templates instruction because it reduces exposure to code injection attacks". Because "injection attacks" are said to be possible, this means that it is assumed that the value of the static stylesheet parameter will be supplied by the initiator of the transformation. However, in other parts of the specification (http://www.w3.org/TR/2014/WD-xslt-30-20141002/#static-params), it is postulated, that the visibility of a static parameter must always be private. My question is: Is the expectation that it is possible to supply a value to the static stylesheet parameter correct, and if yes, doesn't this contradict the definition of the visibility of a static parameter as always private? -- Cheers, Dimitre Novatchev
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: [xsl] How would I go about chan, Abel Braaksma (Exsel | Thread | Re: [xsl] XSLT3.0: Question about s, Michael Kay mike@xxx |
Re: [xsl] How would I go about chan, Graydon graydon@xxxx | Date | Re: [xsl] XSLT3.0: Question about s, Michael Kay mike@xxx |
Month |