[XSL-LIST Mailing List Archive Home] [By Thread] [By Date]

Re: Fw: Signing of XSL scripts


Subject: Re: Fw: Signing of XSL scripts
From: Paul Prescod <papresco@xxxxxxxxxxxxxxxx>
Date: Sat, 30 May 1998 05:12:06 -0400

Martin Bryan wrote:
> 
> You may need to be able to input from a local source because the input
> message may contain a value, such as a supplier number or catalogue number,
> for which displayable text needs to be taken from a local database.
>
> You may need to be able to output to a local database to create a local
> record of a message sent to a server when processing an XML/XSL form.

I don't think that a stylesheet language has any business snooping around
the local computer's databases or hard drives. There is a tendency among
many people to want to expand XSL until it is a general system for
processing everything. Yes, it should be extensible to the point where
people could do dangerous things with it. No, it should not in and of
itself have any capabilities to do dangerous things. Thus the dangerous
extensions are completely the responsibility of the people doing the
extensions, and not the W3C WG's.

XML can also be extended to do dangerous things through parameter
entities. That also is not the W3C WG's problem.

 Paul Prescod  - http://itrc.uwaterloo.ca/~papresco

Three things see no end: A loop with exit code done wrong
A semaphore untested, and the change that comes along
http://www.geezjan.org/humor/computers/threes.html


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list



Current Thread
Keywords