[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: What the .... ? Referencing XSL stylesheets across domains


cross domain xsl

Sebastian Schnitzenbaumer:

>And I agree too, of course. But that wasn't the issue. I never
>asked about VBscript in my XSL in the first place. And I
>wasn't aware how harmful XSL can be. An XML stylesheet
>wasn't meant to be a security problem in the first place,
>and extending it for some 20% cases (allowing scripts) so it is 
>treated as a security problem for the other 80% cases (just
>using XSL as it is) doesn't make sense to me

Well I'm afraid this really goes beyond Microsoft's implementation to
the XSL-T specification, since the specification gives you the ability
to define extension functions and these can be written in whatever
language the processor-implementor wants. Most processors have extension
functions written in Java, again a security hazard for cross-domain
XSL-T, although other processor-implementors can of course make their
own decisions a propos security. I don't really like comparing css and
xsl-t as the latter is a programming language, and as a small one has
been provided with a mechanism to extend it. 

>Why
>can't just the stylesheets with scripts get the quarantine
>behaviour? Why must every cross-domain XSL be treated as if 
>it would contain a malicious script, even though it doesn't use
>script at all? 

This is one of those whys that I'm sure we all the know the reason for,
that Programmer X saw that there was a problem Y that he just didn't
have the time to give the best solution, so he just decided to restrict
it. Perhaps at some time in the future Programmer X will come back to
the problem and say "I'll fixe that now" but I really doubt it
especially as I have a hard time seeing the utility of cross-domain
calling of XSL-T, if I want to use one from another domain I'll copy it
and send the original author a nice email telling them I'm using their
XSL-T.



PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.