On Thu, 2007-07-19 at 00:25 +0900, Justin Johansson wrote:
One security concern is that someone may enter XPath code contain the
document function and
access (read) files on the server which are not for public consumption.
The solution to this is
to check the submitted code and disallow any transform containing the the
document() function.
Use a custom URIResolver that works for both the import/includes and the
document function.
Another concern is that someone might try to submit a stylesheet containing
Java extensions
and attempt to something really nasty. To this end, the submitted code is
restricted to being
just the body of an XSL stylesheet .. i.e. the server will wrap the code in
an xsl:stylesheet
element.
Saxon has a property where you can disable extensions
Do people have any advice on whether there are any other security concerns
to be aware of?
yes - result-document. I believe Saxon has a way for you to write a
resolver so that result document output can be controlled (haven't done
it).
Maybe turn off your XML parser's XInclude, Schema, DTD handling
best,
-Rob
--~------------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
To unsubscribe, go to: http://lists.mulberrytech.com/xsl-list/
or e-mail: <mailto:xsl-list-unsubscribe(_at_)lists(_dot_)mulberrytech(_dot_)com>
--~--