Re: XInclude: security risk 1
>It is somewhat (though far >from completely) mitigated by the fact that the document() function >can only point to well-formed XML documents so it can't steal >absolutely any file or URL. You could combine it with an entity reference: use document() to refer to an external document that has a file: entity reference. Then any plain text without less-thans or ampersands will be well-formed. I'm sure that current browsers must already prevent this, probably by disallowing file: references from non-trusted documents. -- Richard
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format