[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] HTML5 semantics and XSLT
Friends, Starting from an interesting post at https://blog.sonarsource.com/horde-webmail-account-takeover-via-email (brought to my attention by a colleague) ... Amazingly, it appears to be true that opened in a current web browser, a document like the following will proceed to execute the script it contains. <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Boo?</title> </head> <body> </body> </html> NB: yes, that supposed MathML is bogus. FWIW this is also different from the code snippet in the post, which isn't actually realistic. But it documents a real phenomenon. The reason I remark on this is that (as noted in the post) it implies that any template such as this (copied from a widely distributed library), when targeting HTML, might be problematic on some uncontrolled inputs: <xsl:template match="*" mode="math"> <xsl:element name="{local-name()}" namespace=http://www.w3.org/1998/Math/MathML> <xsl:apply-templates select="@*|node()" mode="math"/> </xsl:element> </xsl:template> Might this need to be defended, maybe by emitting a prefix on every element name it makes? <xsl:template match="*" mode="math"> <xsl:element name="mml:{local-name()}" namespace=http://www.w3.org/1998/Math/MathML> <xsl:apply-templates select="@*|node()" mode="math"/> </xsl:element> </xsl:template> Otherwise, at least as reported in the post cited above, an OpenOffice document, when previewed in certain execution contexts, can act much like a Word document with embedded malware. Comments? Regards, Wendell
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|