[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Malicious documents? (WAS: Interesting mailing list & a r

• To: <michael.h.kay@n...>
• Subject: Re: Malicious documents? (WAS: Interesting mailing list & a rare broadside)
• From: Henrik Motakef <henrik.motakef@w...>
• Date: 10 Jun 2002 22:30:35 +0200
• Cc: "'Simon St.Laurent'" <simonstl@s...>, <xml-dev@l...>
• In-reply-to: <000701c2108c$7c03e0d0$6401a8c0@pcukmka>
• References: <000701c2108c$7c03e0d0$6401a8c0@pcukmka>
• Sender: henrik.motakef@w...
• User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2

"Michael Kay" <michael.h.kay@n...> writes:

> I see that David's talk mentions the dangers of referring to external
> XSLT stylesheets. Until recently the W3C site provided a servlet which
> would run an XSLT transformation using a user-specified source document
> and stylesheet. By calling external Java methods from the stylesheet,
> you had total access to files on the web server.
> 
> Although W3C have patched their servlet to disallow Java method calls, I
> suspect many others are still doing this.

Just out of interest: How will it handle an XPath including
``document('file:///some/secret/file.xml')''?

• References:
  • RE: Malicious documents? (WAS: Interesting mailing list & a rare broadside)
    • From: "Michael Kay" <michael.h.kay@n...>

• Prev by Date: Re: W3C Schema: Resistance is Futile, says Don Box
• Next by Date: Re: (more details) embedding xml schema in an instance doc
• Previous by thread: Re: Malicious documents? (WAS: Interesting mailing list & a rare broadside)
• Next by thread: Re: Malicious documents? (WAS: Interesting mailing list & a rare broadside)
• Index(es):
  • Date
  • Thread