For an initial comment, the same security restrictions that apply to
GRDDL http://www.w3.org/2001/sw/grddl-wg/
so off the top of my head IIRC these are:
1. use of document function - can be used to read local files that you
might not want accessible.
2. use of extension functions in your processor that can run other
type of code - example msxsl script - but you don't have that problem
3. maybe XML security problems, stuff like external entities
http://www.securiteam.com/securitynews/6D0100A5PU.html I would suppose
libxml handles this well though, but have not done research on matter.
By the way I need to sort of do the same thing in a project I am
building. Would you like to discuss this further? I'm going to be
offline for the next couple weeks starting tonight so if you say yes
tomorrow I can't reply for a bit :)
Cheers,
Bryan Rasmussen
On 7/26/07, Andrew Mason <andrew(_at_)katalyst(_dot_)com(_dot_)au> wrote:
I was wondering if there were any security considerations with allowing users
to upload their own XSLT?
I'm using libxsl which seems to guard against infinite loops etc.. but i was
unsure if there were other things which I should consider from a security
pov.
thanks in advance
Andrew
--~------------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
To unsubscribe, go to: http://lists.mulberrytech.com/xsl-list/
or e-mail: <mailto:xsl-list-unsubscribe(_at_)lists(_dot_)mulberrytech(_dot_)com>
--~--
--~------------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
To unsubscribe, go to: http://lists.mulberrytech.com/xsl-list/
or e-mail: <mailto:xsl-list-unsubscribe(_at_)lists(_dot_)mulberrytech(_dot_)com>
--~--