This is the mail archive of the
xsl-list@mulberrytech.com
mailing list .
RE: The evaluate function
- From: "Brinkman, Theodore" <Theodore dot Brinkman at standardregister dot com>
- To: "'xsl-list at lists dot mulberrytech dot com'" <xsl-list at lists dot mulberrytech dot com>
- Date: Thu, 3 Jan 2002 12:27:04 -0500
- Subject: RE: [xsl] The evaluate function
- Reply-to: xsl-list at lists dot mulberrytech dot com
The same thing that prevents the same situation in ASP, Perl, or PHP based
web applications. Developer intelligence sufficient to realize that you
check EVERYTHING you get from the client before acting upon it.
- Theo
-----Original Message-----
From: Joerg Pietschmann [mailto:joerg.pietschmann@zkb.ch]
Sent: Thursday, January 03, 2002 12:20 PM
To: XSL List
Subject: RE: [xsl] The evaluate function
Apart from all the issues mentioned by Mr.Kay, an eval()
function makes it rather easy to open security holes in
a style sheet.
For example, once you figured out you can put a XPath into
the nice "Enter your query here" field which is passed
directly to an eval() function, what will stop you from
entering
document("file:///C/Documents and Settings/Administrator/preferences.xml")?
:-)
Or, if extension functions may be called indiscriminately:
mswin:delete("C:\*.*","recursive")
Regards
J.Pietschmann
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list