RE: Fw: Signing of XSL scripts
I agree that the core language has no system functions. The issue is what objects are defined. ECMAScript expects a "host" object to exist. I assume this name was chosen because this is the representation of the application "hosting" the script. I can easily imagine someone wanting to implement an escape to an external application for complex processing. How about queries to an external database? I hope that nobody implements something dangerous but I am concerned that a naive implementor might just pull some pieces off the shelf and expose users to risks without proper consideration while trying to satisfy a perceived need for escapes to external applications. John Dreystadt > -----Original Message----- > From: owner-xsl-list@xxxxxxxxxxxxxxxx > [mailto:owner-xsl-list@xxxxxxxxxxxxxxxx]On Behalf Of Paul Prescod > Sent: Friday, May 29, 1998 10:01 AM > To: xsl-list@xxxxxxxxxxxxxxxx > Subject: Re: Fw: Signing of XSL scripts > > > John Dreystadt wrote: > > > > An alternative direction for secure scripting is the model > adopted by > > the TCL community. They use "SafeTCL" which is a variation > on the usual > > TCL interpreter. SafeTCL has the dangerous components removed or > > restricted. > > ECMAScript is already safe. If I recall correctly, the core > language has > no system functions at all. Only extensions could provide > access to system > resources. > > > I believe that we should start by examining what web browsers allow > > ECMAScript to do, determine what needs to be added for XSL (maybe > > nothing) and then determine how to add the new functionality safely. > > The things to be added have nothing to do with files, hard > disks, dialog > boxes or other system resources. You would have to work hard > to add them > in a non-safe manner. > > Paul Prescod - http://itrc.uwaterloo.ca/~papresco > > Three things never trust in: That's the vendor's final bill > The promises your boss makes, and the customer's good will > http://www.geezjan.org/humor/computers/threes.html > > > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list > XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format