[XSL-LIST Mailing List Archive Home] [By Thread] [By Date]

[xsl] XSLT3.0: Question about shadow attributes and the possibility to supply value to a static parameter


Subject: [xsl] XSLT3.0: Question about shadow attributes and the possibility to supply value to a static parameter
From: "Dimitre Novatchev dnovatchev@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 21 Nov 2014 06:37:07 -0000

 In section  3.14.2 "Shadow Attributes"  the 2nd example: "Example:
Using Shadow Attributes to Parameterize Selection of Elements", shows
how to produce a report giving information about selected employees.
The predicate defining which employees are to be included in the
report is supplied (as a string containing an XPath expression) in a
static stylesheet parameter.

A note at the end of the example contains this text:

"The stylesheet function local:filter is used here in preference to
direct use of the supplied predicate within the select attribute of
the xsl:apply-templates instruction because it reduces exposure to
code injection attacks".

Because "injection attacks" are said to be possible, this means that
it is assumed that the value of the static stylesheet parameter will
be supplied by the initiator of the transformation.

However, in other parts of the specification
(http://www.w3.org/TR/2014/WD-xslt-30-20141002/#static-params), it is
postulated, that the visibility of a static parameter must always be
private.

My question is:  Is the expectation that it is possible to supply a
value to the static stylesheet parameter correct, and if yes, doesn't
this contradict the definition of the visibility of a static parameter
as always private?


-- 
Cheers,
Dimitre Novatchev


Current Thread
Keywords