[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: XInclude: security risk 1
At 01:47 PM 10/26/2002 -0400, Elliotte Rusty Harold wrote: >However, I suspect it's at least bad enough that browser vendors and other >XInclude users should be made aware of the issues, and perhaps not >XInclude by default; or perhaps it would be enough just not to fallback. >Or perhaps not make the post-inclusion DOM available through scripting. Or >limit the URLs included to ones from the same host as the base page came >from. Thoughts? It reminds me a bit of the issues that David Megginson raised back at XTech 2000: http://www.xml.com/pub/a/2000/02/xtech/megginson.html I can't find David's original slides, but it more or less covered the risks created by wide-open URI processing in a variety of different contexts. It was prior to XInclude, but pretty interesting stuff. Those tools don't include a fallback for sending messages back, though! Simon St.Laurent "Every day in every way I'm getting better and better." - Emile Coue
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|