[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Saxon for windows?

Subject: Re: Saxon for windows?
From: "M. David Peterson" <m.david.x2x2x@xxxxxxxxx>
Date: Sat, 4 Jun 2005 11:42:59 -0600
calling saxon from windows
Hey Michael,

It seems Web Service architecture is one of several areas of XSLT 2.0
application development that lacks content...  I'm guessing that any
content that does exist on this topic is probably stored away in your
brain as I havent really found anything else on the web or in print
that even comes close to acting as a guidance tool in architecting
such a web service, giving consideration to all the good, bad, and
ugly such a task would invoke

Any chance that this might be a consideration as a new chapter in the
4th edition of your XSLT title?  While I plan to buy the first copy I
can find if such a title is to come into existence a chapter like this
would find me buying two just as an extra way of saying thanks as such
a chapter would be a GIGANTIC help in future application design and
development.

Cheers :)

On 6/4/05, Michael Kay <mike@xxxxxxxxxxxx> wrote:
> > > More than inefficient, it would be dangerous to run an XSLT
> > processor as
> > part of a *generally available* web service (I can only smile
> > envisioning
> > the kinds of creative DOS attacks that would be possible).
> >
> > Please explain how that would happen when the input is being
> > validated?
>
>
> Many people overlook the issue of extension functions. At one stage the W3C
> was running an XSLT transformation service on its web site where you could
> submit an arbitrary XSLT stylesheet and source document to be transformed.
> It was easy to establish (using system-property) that it was running xt,
and
> was then easy to write a stylesheet that gave me a complete directory
> listing of the W3C web site by calling methods in the standard Java
library.
> I could then have gone on to modify any file that the servlet code had
> access to.
>
> Saxon, and I imagine other good XSLT processors, has an option to disable
> extension functions so that it's safe to run untrusted stylesheet code.
> However, I think many people overlook this potential security weakness. And
> of course, there are cases where you need extension functions, which means
> you have to make sure the stylesheet code is trusted.
>
> Michael Kay
> http://www.saxonica.com/
>
>


--
<M:D/>

M. David Peterson
http://www.xsltblog.com

Current Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.