Re: [xsl] XSLT 2.0: Security concerns

Subject: Re: [xsl] XSLT 2.0: Security concerns
From: David Carlisle <davidc@xxxxxxxxx>
Date: Wed, 18 Jul 2007 16:04:13 +0100

You might want to set ALLOW_EXTERNAL_FUNCTIONS to false,
see http://www.saxonica.com/documentation/using-xsl/embedding.html

and rather than trap uses of document() at the syntactic level  just use
a URI handler that doesn't allow things that you don't want to allow
(perhaps don't allow all uris, or only allow them into some secure
sandboxed directory, or whatever is appropriate)

Dav

________________________________________________________________________
The Numerical Algorithms Group Ltd is a company registered in England
and Wales with company number 1249803. The registered office is:
Wilkinson House, Jordan Hill Road, Oxford OX2 8DR, United Kingdom.

This e-mail has been scanned for all viruses by Star. The service is
powered by MessageLabs. 
________________________________________________________________________

Current Thread
[xsl] XSLT 2.0: Security concerns Justin Johansson - Thu, 19 Jul 2007 00:25:15 +0900 David Carlisle - Wed, 18 Jul 2007 16:04:13 +0100 <= Robert Koberg - Wed, 18 Jul 2007 11:11:00 -0400 Justin Johansson - Thu, 19 Jul 2007 01:08:46 +0900 Michael Kay - Wed, 18 Jul 2007 20:26:24 +0100

<- Previous	Index	Next ->
[xsl] XSLT 2.0: Security concerns, Justin Johansson	Thread	Re: [xsl] XSLT 2.0: Security concer, Robert Koberg
Re: [xsl] function-available() test, John McGowan	Date	Re: [xsl] XSLT 2.0: Security concer, Robert Koberg
	Month

	XML Editor \| XML Author \| WYSIWYG Editors \| Schema Editor \| XSD Documentation \| XSL/XSLT Editor \| XQuery \| XML Databases \| SVN Client © 2002-2011 SyncRO Soft Ltd. All rights reserved. \| Sitemap \| Privacy Policy \| This website was created & generated with <oXygen/>®XML Editor

xml editor

Re: [xsl] XSLT 2.0: Security concerns