Subject: Re: [xsl] HTML5 semantics and XSLT From: "Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Date: Wed, 23 Feb 2022 19:33:52 -0000 |
Hi Liam, Okay, this is fair enough, but what exactly is the XSLT developer to do? Here, after all, we have a case of a supposed security vulnerability that is arguably less likely than a dozen or a hundred others, which is being attributed to the deployment of a transformation that is working as designed, on inputs that must be maliciously contrived and do not ordinarily appear in the wild. The reporter of the weakness in question seems to have gone to some trouble to find a way to get a script to execute outside one of those sandboxes. It appears that one way is to worm it in through OpenOffice using an email client's "preview" feature. Yet the capability, once the worm is in, is to work just like a web page. This looks like it shouldn't be our problem. Yet somehow it is. David C has helped a little with the question of how to defend against this kind of thing but in the air is still the question of whether we do or why we should. I'm afraid we don't have much choice. Cheers, Wendell -----Original Message----- From: Liam R. E. Quin liam@xxxxxxxxxxxxxxxx <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Sent: Wednesday, February 23, 2022 2:04 PM To: xsl-list@xxxxxxxxxxxxxxxxxxxxxx Subject: Re: [xsl] HTML5 semantics and XSLT On Wed, 2022-02-23 at 18:37 +0000, Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx wrote: > Hi again, > > To Mike's question "And presumably any harm that can be done using > this exploit could equally be done by executing untrusted HTML in the > browser directly?" > > Indeed it could. This is why there are sandbox facilities in HTML, in which you can say, "beneath this element, no scripting is allowed and any additional CSS rules will be ignored". The mechanism gives separate control over script, style, iframe. Liam -- Liam Quin, https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.d elightfulcomputing.com%2F&data=04%7C01%7Cwendell.piez%40nist.gov%7C255d88 2a750841387f1e08d9f6ff765f%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C63781 2399339023109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UffR32GXJ9ySAnuMKExMRlO9kHY4namI 2E64tm1PD5Q%3D&reserved=0 Available for XML/Document/Information Architecture/XSLT/ XSL/XQuery/Web/Text Processing/A11Y training, work & consulting. Barefoot Web-slave, antique illustrations: https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.fromold books.org%2F&data=04%7C01%7Cwendell.piez%40nist.gov%7C255d882a750841387f1 e08d9f6ff765f%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812399339023109 %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwi LCJXVCI6Mn0%3D%7C3000&sdata=G5asHa3Ro1ObwKWTUVkP5z7PkFUomb%2B71Z9fKlZ%2BB mI%3D&reserved=0
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: [xsl] HTML5 semantics and XSLT, Liam R. E. Quin liam | Thread | Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fe |
Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fe | Date | Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fe |
Month |