Cart
|
[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: The evaluate function
 Apart from all the issues mentioned by Mr.Kay, an eval() function makes it rather easy to open security holes in a style sheet. Indeed, you have cited some serious problems. However, I disagree with you on their exact nature and origin. For example, once you figured out you can put a XPath into Why would someone allow users to pass input directly to an XPath evaluate function? This seems to me like a bad idea. Furthermore, proper use of permissions should prevent access to system configuration files. What is such an extension function even doing in an XSLT processor!? Furthermore, it seems similarly absurd for an admin not to configure the system's permissions to preclude such things. I don't think it makes sense to handicap a standard, based on vulnerabilities introduced by nonstandard extensions used on poorly administrated systems. Matthew Gruenke _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
