RE: [xsl] The evaluate function

["Matt G." <matt_g_ at hotmail dot com>]

>Apart from all the issues mentioned by Mr.Kay, an eval()
>function makes it rather easy to open security holes in
>a style sheet.

Indeed, you have cited some serious problems.  However, I disagree with you 
on their exact nature and origin.


>For example, once you figured out you can put a XPath into
>the nice "Enter your query here" field which is passed
>directly to an eval() function, what will stop you from
>entering document("file:///C/Documents and 
> >Settings/Administrator/preferences.xml")?

Why would someone allow users to pass input directly to an XPath evaluate 
function?  This seems to me like a bad idea.  Furthermore, proper use of 
permissions should prevent access to system configuration files.


>Or, if extension functions may be called indiscriminately:
>  mswin:delete("C:\*.*","recursive")

What is such an extension function even doing in an XSLT processor!?  
Furthermore, it seems similarly absurd for an admin not to configure the 
system's permissions to preclude such things.

I don't think it makes sense to handicap a standard, based on 
vulnerabilities introduced by nonstandard extensions used on poorly 
administrated systems.


Matthew Gruenke


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list