[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Fw: Signing of XSL scripts

Subject: RE: Fw: Signing of XSL scripts
From: "John Dreystadt" <jdreysta@xxxxxxxxxxxxx>
Date: Thu, 28 May 1998 10:26:11 -0400
xsl scripts
An alternative direction for secure scripting is the model adopted by
the TCL community. They use "SafeTCL" which is a variation on the usual
TCL interpreter. SafeTCL has the dangerous components removed or
restricted.

As pointed out, an arbitrary scripting language exposes the system where
the script is running to various attacks. But restrictions can be
implemented. ECMAScript is already running inside of web pages that
people download all the time. The web browser is responsible for
implementing rules that prevent ECMAScript from doing bad things.

I believe that we should start by examining what web browsers allow
ECMAScript to do, determine what needs to be added for XSL (maybe
nothing) and then determine how to add the new functionality safely.

John Dreystadt

> -----Original Message-----
> From: owner-xsl-list@xxxxxxxxxxxxxxxx
> [mailto:owner-xsl-list@xxxxxxxxxxxxxxxx]On Behalf Of Gavin Nicol
> Sent: Thursday, May 28, 1998 9:36 AM
> To: xsl-list@xxxxxxxxxxxxxxxx
> Subject: Re: Fw: Signing of XSL scripts
>
>
> >It is beginning to look as if the use of ECMAScript may lead to some
> >problems with system security unless there is a change in
> the way in which
> >scripts can be authenticated in Internet Explorer. For
> input/output to a
>
> Even authentication isn't enough. Having an arbitrary
> scripting language
> opens you to denial of serive attacks, and other such things. All the
> signing does is allow you to know who *supposedly* sent you the script
> (it will always be possibly to fake identification here too
> given enough
> resources). What is needed is some way for the XSL processor
> to be able
> to "prove" correctness.
>
>
>  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
>


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list


Current Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.