xsl-list
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [xsl] HTML5 semantics and XSLT

2022-02-23 13:33:59
from [Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov] [Permanent Link] 
Hi Liam,

Okay, this is fair enough, but what exactly is the XSLT developer to do?

Here, after all, we have a case of a supposed security vulnerability that is 
arguably less likely than a dozen or a hundred others, which is being 
attributed to the deployment of a transformation that is working as designed, 
on inputs that must be maliciously contrived and do not ordinarily appear in 
the wild.

The reporter of the weakness in question seems to have gone to some trouble to 
find a way to get a script to execute outside one of those sandboxes. It 
appears that one way is to worm it in through OpenOffice using an email 
client's "preview" feature. Yet the capability, once the worm is in, is to work 
just like a web page. This looks like it shouldn't be our problem. Yet somehow 
it is.

David C has helped a little with the question of how to defend against this 
kind of thing but in the air is still the question of whether we do or why we 
should. I'm afraid we don't have much choice.

Cheers, Wendell

-----Original Message-----
From: Liam R. E. Quin liam(_at_)fromoldbooks(_dot_)org 
<xsl-list-service(_at_)lists(_dot_)mulberrytech(_dot_)com> 
Sent: Wednesday, February 23, 2022 2:04 PM
To: xsl-list(_at_)lists(_dot_)mulberrytech(_dot_)com
Subject: Re: [xsl] HTML5 semantics and XSLT

On Wed, 2022-02-23 at 18:37 +0000, Piez, Wendell A. (Fed) 
wendell(_dot_)piez(_at_)nist(_dot_)gov wrote:

Hi again,

To Mike's question "And presumably any harm that can be done using 
this exploit could equally be done by executing untrusted HTML in the 
browser directly?"

Indeed it could.


This is why there are sandbox facilities in HTML, in which you can say, 
"beneath this element, no scripting is allowed and any additional CSS rules 
will be ignored". The mechanism gives separate control over script, style, 
iframe.

Liam

--
Liam 
Quin, https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.delightfulcomputing.com%2F&amp;data=04%7C01%7Cwendell.piez%40nist.gov%7C255d882a750841387f1e08d9f6ff765f%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812399339023109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=UffR32GXJ9ySAnuMKExMRlO9kHY4namI2E64tm1PD5Q%3D&amp;reserved=0
Available for XML/Document/Information Architecture/XSLT/ XSL/XQuery/Web/Text 
Processing/A11Y training, work & consulting.
Barefoot Web-slave, antique illustrations: 
 https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.fromoldbooks.org%2F&amp;data=04%7C01%7Cwendell.piez%40nist.gov%7C255d882a750841387f1e08d9f6ff765f%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812399339023109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=G5asHa3Ro1ObwKWTUVkP5z7PkFUomb%2B71Z9fKlZ%2BBmI%3D&amp;reserved=0
--~----------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
EasyUnsubscribe: http://lists.mulberrytech.com/unsub/xsl-list/1167547
or by email: xsl-list-unsub(_at_)lists(_dot_)mulberrytech(_dot_)com
--~--
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov
Next by Date:  Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov
Previous by Thread:  Re: [xsl] HTML5 semantics and XSLT, Liam R. E. Quin liam(_at_)fromoldbooks(_dot_)org
Next by Thread:  Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov
Indexes:  [Date] [Thread] [Top] [All Lists]