Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: What the .... ? Referencing XSL stylesheets across domains
 Oh, I see what you were saying now. Keep in mind my message made no assumptions about malicious script -- all of those security threats I mentioned (overruns, external resolution) still exist even if the XSLT has no support for scripting. They are a concern for any XSLT processor, not just MSFT. -----Original Message----- From: Sebastian Schnitzenbaumer [mailto:schnitz@m...] Sent: Thu 8/15/2002 8:48 AM To: Dare Obasanjo; bryan; xml-dev@l... Cc: Subject: RE: What the .... ? Referencing XSL stylesheets across domains And I agree too, of course. But that wasn't the issue. I never asked about VBscript in my XSL in the first place. And I wasn't aware how harmful XSL can be. An XML stylesheet wasn't meant to be a security problem in the first place, and extending it for some 20% cases (allowing scripts) so it is treated as a security problem for the other 80% cases (just using XSL as it is) doesn't make sense to me. CSS was never extended with scripts and works just fine cross-domain in IE and all other browsers. Why can't just the stylesheets with scripts get the quarantine behaviour? Why must every cross-domain XSL be treated as if it would contain a malicious script, even though it doesn't use script at all? This would be similar to saying you can't view plain HTML pages unless its a trusted site because the HTML could possibly contain a malicious script. As it stands, I'm afraid your cure is worse than the disease, - Sebastian -----Ursprüngliche Nachricht----- Von: Dare Obasanjo Gesendet: Do 15.08.2002 16:39 An: Sebastian Schnitzenbaumer; bryan; xml-dev@l... Cc: Betreff: RE: What the .... ? Referencing XSL stylesheets across domains Security and convenience are a continuom. In today's internet connected world, one typically has to trade up some convenience if they want security. We are all witnesses to what happened when Microsoft leaned more towards convenience than security in our products. I'm quite glad that we've decided to shift to the other side and trade up convenience for more security. I'm sure many others agree. -----Original Message----- From: Sebastian Schnitzenbaumer [mailto:schnitz@m...] Sent: Thu 8/15/2002 5:52 AM To: bryan; xml-dev@l... Cc: Subject: RE: What the .... ? Referencing XSL stylesheets across domains I've invented this great new language the other day, it only has four characters: °, o, 8 and . So now I would say: .oo88o°8o°°...°.8ooo and ...oo8o8o°o°o8.o.o8.oo.8°°.. and sometimes I'd even express myself thru ooo888°°° or, in very special cases, I'd say °°°888ooo I wrote a poem the other day: o..8.o.88.°°°.8.ooo.o88o°°°° ..o8.8ooo8.oo8.ooo.8°8°8°8 ooo..o.88o°8o°8o°8o°oo°°°° Beautiful, isn't it? Oh, you can't read this? I'm afraid the stylesheet that someone else did that translates this into english is considered harmful... Please understand! You must be protected, this evil stylesheet could: - Make you blind thru evil use of colors and contrast - Collapse the wave function so the probability of your desktop being different in the future is slightly increased. - Sebastian -----Ursprüngliche Nachricht----- Von: bryan Gesendet: Do 15.08.2002 11:08 An: xml-dev@l... Cc: Betreff: RE: What the .... ? Referencing XSL stylesheets across domains Sebastian Schnitzenbaumer wrote: >>Why is it >>dangerous to load an XSL from somewhere else? Joshua Allen wrote: >On the one hand, you could say, "It should treat XSLT processor the same >way as CSS", but on the other hand you might say "thank heavens that people >can't take control of my machine by exploiting buffer overruns in the XSLT >processor." I don't think you could say "it should treat XSLT processor the same way as CSS" what with the possibility to create extensions functions that use vbscript, javascript, can call com components etc. By the way, in case anyone didn't see this article: http://www.theregister.co.uk/content/archive/24815.html MS downloads wd-xsl to Windows-XP for search. Not the same subject but somewhat related. ----------------------------------------------------------------- The xml-dev list is sponsored by XML.org <http://www.xml.org>, an initiative of OASIS <http://www.oasis-open.org> The list archives are at http://lists.xml.org/archives/xml-dev/ To subscribe or unsubscribe from this list use the subscription manager: <http://lists.xml.org/ob/adm.pl> 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
