[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: The evaluate function
Apart from all the issues mentioned by Mr.Kay, an eval() function makes it rather easy to open security holes in a style sheet. Indeed, you have cited some serious problems. However, I disagree with you on their exact nature and origin. For example, once you figured out you can put a XPath into Why would someone allow users to pass input directly to an XPath evaluate function? This seems to me like a bad idea. Furthermore, proper use of permissions should prevent access to system configuration files. Or, if extension functions may be called indiscriminately: mswin:delete("C:\*.*","recursive") What is such an extension function even doing in an XSLT processor!? Furthermore, it seems similarly absurd for an admin not to configure the system's permissions to preclude such things. I don't think it makes sense to handicap a standard, based on vulnerabilities introduced by nonstandard extensions used on poorly administrated systems. Matthew Gruenke _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|