[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: The evaluate function

Subject: RE: The evaluate function
From: "Michael Kay" <michael.h.kay@xxxxxxxxxxxx>
Date: Thu, 3 Jan 2002 18:06:03 -0000
RE:  The evaluate function
> Apart from all the issues mentioned by Mr.Kay, an eval()
> function makes it rather easy to open security holes in
> a style sheet.
> For example, once you figured out you can put a XPath into
> the nice "Enter your query here" field which is passed
> directly to an eval() function, what will stop you from
> entering
>  document("file:///C/Documents and
> Settings/Administrator/preferences.xml")?
>  :-)
> Or, if extension functions may be called indiscriminately:
>  mswin:delete("C:\*.*","recursive")

I don't think you should rely on static analysis to stop stylesheets
performing mischief.

The latest Saxon releases have a switch allowing extension functions to be
disabled, so you can run untrusted stylesheets safely in a servlet
environment. It's then up to the web server to control what URLs are

Mike Kay

 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list

Current Thread


Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
First Name
Last Name
Subscribe in XML format
RSS 2.0
Atom 0.3
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.