Michael Kay wrote:
I've certainly seen (and written) real applications in which
xsl:evaluate (or equivalent) was used to evaluate XPath
expressions read from cells in Excel spreadsheets. The
operating system has no idea this is going on, so the
distinction between read permission and execute
permission is meaningless.
Wow!
Let me be sure that I understand the full implications of this.
Consider this scenario: We have an XML document that, for whatever reason, must
be read-only. It must not be written to (no write permission) and it must not
be executed (no execute permission). The operating system understands this and
will enforce this.
However, if the XML document contains XPath expressions, then the XSLT program
that is reading the XML document can read the XPath expressions and execute
them using xsl:evaluate. So, in a sense, the XML document is being executed.
And, the operating system has no idea that the XML document is being executed
and no way to prevent it.
This is a way to circumvent the operating system's enforcement of read-only
permission.
Do I understand correctly? Have I described the full implications of this
scenario or is there more to be learned from the scenario? Or is Michael
alluding to some other scenario?
/Roger
--~----------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
EasyUnsubscribe: http://lists.mulberrytech.com/unsub/xsl-list/1167547
or by email: xsl-list-unsub(_at_)lists(_dot_)mulberrytech(_dot_)com
--~--