xsl-list
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[xsl] XSL Injection, is it possible?

2006-05-29 04:37:18
from [G. T. Stresen-Reuter] [Permanent Link] 
Hi,
I have a web-based CMS in which all the data is stored in an XML file. I use XSL extensively. I take user input and insert it into the XML file in several different places.
Currently my sanitizing function just escapes <, >, ', and " in the input but I was wondering if anyone knows of other vectors by which attackers can enter. Are these characters recognized by the XSLT engine if they are hex or unicode encoded?
Thanks in advance and I hope this hasn't been covered elsewhere (I haven't been able to find anything on it). 

Ted Stresen-Reuter


--~------------------------------------------------------------------
XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
To unsubscribe, go to: http://lists.mulberrytech.com/xsl-list/
or e-mail: <mailto:xsl-list-unsubscribe(_at_)lists(_dot_)mulberrytech(_dot_)com>
--~--
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [xsl] Positional Grouping problem, Florent Georges
Next by Date:  Re: [xsl] XSL Injection, is it possible?, David Carlisle
Previous by Thread:  [xsl] Positional Grouping problem, Munt,Peter \(BOC eServices\)
Next by Thread:  Re: [xsl] XSL Injection, is it possible?, David Carlisle
Indexes:  [Date] [Thread] [Top] [All Lists]