[XSL-LIST Mailing List Archive Home] [By Thread] [By Date]

RE: Fw: Signing of XSL scripts


Subject: RE: Fw: Signing of XSL scripts
From: "John Dreystadt" <jdreysta@xxxxxxxxxxxxx>
Date: Fri, 29 May 1998 18:18:17 -0400

I agree that the core language has no system functions. The issue is
what objects are defined. ECMAScript expects a "host" object to exist. I
assume this name was chosen because this is the representation of the
application "hosting" the script.

I can easily imagine someone wanting to implement an escape to an
external application for complex processing. How about queries to an
external database?

I hope that nobody implements something dangerous but I am concerned
that a naive implementor might just pull some pieces off the shelf and
expose users to risks without proper consideration while trying to
satisfy a perceived need for escapes to external applications.

John Dreystadt

> -----Original Message-----
> From: owner-xsl-list@xxxxxxxxxxxxxxxx
> [mailto:owner-xsl-list@xxxxxxxxxxxxxxxx]On Behalf Of Paul Prescod
> Sent: Friday, May 29, 1998 10:01 AM
> To: xsl-list@xxxxxxxxxxxxxxxx
> Subject: Re: Fw: Signing of XSL scripts
>
>
> John Dreystadt wrote:
> >
> > An alternative direction for secure scripting is the model
> adopted by
> > the TCL community. They use "SafeTCL" which is a variation
> on the usual
> > TCL interpreter. SafeTCL has the dangerous components removed or
> > restricted.
>
> ECMAScript is already safe. If I recall correctly, the core
> language has
> no system functions at all. Only extensions could provide
> access to system
> resources.
>
> > I believe that we should start by examining what web browsers allow
> > ECMAScript to do, determine what needs to be added for XSL (maybe
> > nothing) and then determine how to add the new functionality safely.
>
> The things to be added have nothing to do with files, hard
> disks, dialog
> boxes or other system resources. You would have to work hard
> to add them
> in a non-safe manner.
>
>  Paul Prescod  - http://itrc.uwaterloo.ca/~papresco
>
> Three things never trust in: That's the vendor's final bill
> The promises your boss makes, and the customer's good will
> http://www.geezjan.org/humor/computers/threes.html
>
>
>  XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
>


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list



Current Thread
Keywords
xsl