RE: Fw: Signing of XSL scripts

Play the video

Subject: RE: Fw: Signing of XSL scripts
From: "John Dreystadt" <jdreysta@xxxxxxxxxxxxx>
Date: Fri, 29 May 1998 18:18:17 -0400

I agree that the core language has no system functions. The issue is
what objects are defined. ECMAScript expects a "host" object to exist. I
assume this name was chosen because this is the representation of the
application "hosting" the script.

I can easily imagine someone wanting to implement an escape to an
external application for complex processing. How about queries to an
external database?

I hope that nobody implements something dangerous but I am concerned
that a naive implementor might just pull some pieces off the shelf and
expose users to risks without proper consideration while trying to
satisfy a perceived need for escapes to external applications.

John Dreystadt

> -----Original Message-----
> From: owner-xsl-list@xxxxxxxxxxxxxxxx
> [mailto:owner-xsl-list@xxxxxxxxxxxxxxxx]On Behalf Of Paul Prescod
> Sent: Friday, May 29, 1998 10:01 AM
> To: xsl-list@xxxxxxxxxxxxxxxx
> Subject: Re: Fw: Signing of XSL scripts
>
>
> John Dreystadt wrote:
> >
> > An alternative direction for secure scripting is the model
> adopted by
> > the TCL community. They use "SafeTCL" which is a variation
> on the usual
> > TCL interpreter. SafeTCL has the dangerous components removed or
> > restricted.
>
> ECMAScript is already safe. If I recall correctly, the core
> language has
> no system functions at all. Only extensions could provide
> access to system
> resources.
>
> > I believe that we should start by examining what web browsers allow
> > ECMAScript to do, determine what needs to be added for XSL (maybe
> > nothing) and then determine how to add the new functionality safely.
>
> The things to be added have nothing to do with files, hard
> disks, dialog
> boxes or other system resources. You would have to work hard
> to add them
> in a non-safe manner.
>
>  Paul Prescod  - http://itrc.uwaterloo.ca/~papresco
>
> Three things never trust in: That's the vendor's final bill
> The promises your boss makes, and the customer's good will
> http://www.geezjan.org/humor/computers/threes.html
>
>
>  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
>

 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list

Current Thread

Fw: Signing of XSL scripts
- Martin Bryan - Thu, 28 May 1998 04:33:31 -0400 (EDT)
  - Gavin Nicol - Thu, 28 May 1998 09:40:16 -0400 (EDT)
    - John Dreystadt - Thu, 28 May 1998 10:33:15 -0400 (EDT)
      - Paul Prescod - Fri, 29 May 1998 10:05:16 -0400 (EDT)
      - John Dreystadt - Fri, 29 May 1998 18:25:10 -0400 (EDT) <=
    - Paul Prescod - Fri, 29 May 1998 10:05:18 -0400 (EDT)
  - Paul Prescod - Fri, 29 May 1998 10:05:32 -0400 (EDT)
  - <Possible follow-ups>
  - Boris Moore - Sat, 30 May 1998 04:18:38 -0400 (EDT)
  - Martin Bryan - Sat, 30 May 1998 04:28:17 -0400 (EDT)

<- Previous	Index	Next ->
Re: Fw: Signing of XSL scripts, Paul Prescod	Thread	Re: Fw: Signing of XSL scripts, Paul Prescod
Re: Fw: Signing of XSL scripts, Paul Prescod	Date	RE: Fw: Signing of XSL scripts, Boris Moore
	Month

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >