However, if the XML document contains XPath expressions, then the XSLT
program that is reading the XML document
can read the XPath expressions and execute them using xsl:evaluate. So,
in a sense, the XML document is being executed.
And, the operating system has no idea that the XML document is being
executed and no way to prevent it.
Actually, the XPath expression(s) don't need to be within an XML document.
They can reside in any (text) file and be read by the standard XPath
function fn:unparsed-text().
For many years I have been using libraries of pure XPath functions, that
reside in what in fact are text files, with extension .xpath. Each such
.xpath file is referred to as a separate "function library".
These comprise the foundation of a pure XPath-programming system, and are
loaded by an "extension function", written in XSLT ...
If a specific XPath function library needs the functions of other XPath
function libraries, it just loads these function libraries by calling the
loader extension.
Thus when such a system is executed, there are numerous load operations,
some of these might be nested recursively. The recursion happens within the
<xsl:evaluate> in the loadFunctionLibraries() function (part of the loader
extension) below.
Here is the loader:
<xsl:stylesheet version="3.0" xmlns:xsl="
http://www.w3.org/1999/XSL/Transform";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:map="http://www.w3.org/2005/xpath-functions/map";
xmlns:f="http://www.fxpath.org";>
<xsl:variable name="vBaseFXpathUri"
select="(environment-variable('FXpathDir')[normalize-space()],
'..')[1]"/>
<xsl:template name="loadFunctionLibraries" as="map(*)">
<xsl:param name="pFilePaths" as="xs:string+"/>
<xsl:sequence select="f:loadFunctionLibraries($pFilePaths)"/>
</xsl:template>
<xsl:function name="f:loadFunctionLibraries" as="map(*)"
visibility="public">
<xsl:param name="pLibrariesUris" as="xs:string+"/>
<xsl:variable name="vAllText" as="xs:string+" select=
"string-join(
(for $p in $pLibrariesUris
return unparsed-text($p)
),
',
'
)"/>
<xsl:evaluate xpath="'map:merge((' || $vAllText || '))'">
<xsl:with-param name="pBaseFXpathUri" select="$vBaseFXpathUri"/>
</xsl:evaluate>
</xsl:function>
</xsl:stylesheet>
As an example, here is a test of the functions in the special-folds.xpath
library. This test (written in XSLT) loads the function library and tests
each of the functions in it. The special-folds.xpath itself loads 2 other
function libraries: folds.xpath and operators.xpath :
<xsl:stylesheet version="3.0" xmlns:xsl="
http://www.w3.org/1999/XSL/Transform";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:f="http://www.fxpath.org";>
<xsl:import href="../initialization/Loader.xsl"/>
<xsl:output method="text" omit-xml-declaration="yes" indent="yes"/>
<!-- ======= Load the file with the XPath functions to be tested
================== -->
<xsl:variable name="vBaseFXpathUri"
select="(environment-variable('FXpathDir')[normalize-space()],
'..')[1]"/>
<xsl:variable name="vFuns" as="map(*)"
select="f:loadFunctionLibraries($vBaseFXpathUri ||
'/f/special-folds.xpath')"/>
<!--
==============================================================================
-->
<xsl:template name="xsl:initial-template">
<xsl:sequence select="$vFuns?and((true(), true(), true()))"/>
<xsl:sequence select="$vFuns?and((true(), true(), false()))"/>
<xsl:sequence select="$vFuns?or((false(), false(), false()))"/>
<xsl:sequence select="$vFuns?or((true(), false(), false()))"/>
<xsl:sequence select="$vFuns?any(function($n) {$n idiv 2 * 2 eq $n},
(1,3,5))"/>
<xsl:sequence select="$vFuns?any(function($n) {$n idiv 2 * 2 eq $n},
(1,3,6))"/>
<xsl:sequence select="$vFuns?all(function($n) {$n idiv 2 * 2 eq $n},
(1,2,6))"/>
<xsl:sequence select="$vFuns?all(function($n) {$n idiv 2 * 2 eq $n},
(0,2,6))"/>
<xsl:sequence select="$vFuns?sum(1 to 10)"/>
<xsl:sequence select="$vFuns?product(1 to 6)"/>
<xsl:sequence select="$vFuns?minimum((6,8,3, -2))"/>
<xsl:sequence select="$vFuns?minimum(('Alas', 'Baba', 'A2', 'Zebra'))"/>
<xsl:sequence select="$vFuns?minimum((xs:date('2001-07-14'),
current-date()))"/>
<xsl:sequence select="$vFuns?maximum((6,8,3, -2))"/>
<xsl:sequence select="$vFuns?maximum(('Alas', 'Baba', 'A2', 'Zebra'))"/>
<xsl:sequence select="$vFuns?maximum((xs:date('2001-07-14'),
current-date()))"/>
<xsl:sequence select="$vFuns?concat(('a1', 'b2', 'c3'))"/>
</xsl:template>
</xsl:stylesheet>
And here is (just the start) of special-folds.xpath:
(: =============== Include operators.xpath ============================:)
let $ops := Q{http://www.fxpath.org}loadFunctionLibraries#1(
concat($pBaseFXpathUri, '/f/operators.xpath')),
(: ================ Include folds.xpath ===============================:)
$folds := Q{http://www.fxpath.org}loadFunctionLibraries#1(
concat($pBaseFXpathUri, '/f/folds.xpath')
),
(: Special Folds
====================================================================:)
$and := function ($booleans as xs:boolean*) as xs:boolean
{
$folds?foldl_($ops?conjunction, true(), $booleans)
},
$or := function ($booleans as xs:boolean*) as xs:boolean
{
$folds?foldl_($ops?disjunction, false(), $booleans)
},
$any := function($f as function(item()) as xs:boolean, $list as item()*
) as xs:boolean
{
$or($list!$f(.))
},
. . . . . . . . . .
Thanks,
Dimitre
On Sun, Apr 10, 2022 at 5:45 AM Roger L Costello costello(_at_)mitre(_dot_)org <
xsl-list-service(_at_)lists(_dot_)mulberrytech(_dot_)com> wrote:
Michael Kay wrote:
I've certainly seen (and written) real applications in which
xsl:evaluate (or equivalent) was used to evaluate XPath
expressions read from cells in Excel spreadsheets. The
operating system has no idea this is going on, so the
distinction between read permission and execute
permission is meaningless.
Wow!
Let me be sure that I understand the full implications of this.
Consider this scenario: We have an XML document that, for whatever reason,
must be read-only. It must not be written to (no write permission) and it
must not be executed (no execute permission). The operating system
understands this and will enforce this.
However, if the XML document contains XPath expressions, then the XSLT
program that is reading the XML document can read the XPath expressions and
execute them using xsl:evaluate. So, in a sense, the XML document is being
executed. And, the operating system has no idea that the XML document is
being executed and no way to prevent it.
This is a way to circumvent the operating system's enforcement of
read-only permission.
Do I understand correctly? Have I described the full implications of this
scenario or is there more to be learned from the scenario? Or is Michael
alluding to some other scenario?
/Roger
--
Cheers,
Dimitre Novatchev
---------------------------------------
Truly great madness cannot be achieved without significant intelligence.
---------------------------------------
To invent, you need a good imagination and a pile of junk
-------------------------------------
Never fight an inanimate object
-------------------------------------
To avoid situations in which you might make mistakes may be the
biggest mistake of all
------------------------------------
Quality means doing it right when no one is looking.
-------------------------------------
You've achieved success in your field when you don't know whether what
you're doing is work or play
-------------------------------------
To achieve the impossible dream, try going to sleep.
-------------------------------------
Facts do not cease to exist because they are ignored.
-------------------------------------
Typing monkeys will write all Shakespeare's works in 200yrs.Will they write
all patents, too? :)
-------------------------------------
Sanity is madness put to good use.
-------------------------------------
I finally figured out the only reason to be alive is to enjoy it.
--~----------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
EasyUnsubscribe: http://lists.mulberrytech.com/unsub/xsl-list/1167547
or by email: xsl-list-unsub(_at_)lists(_dot_)mulberrytech(_dot_)com
--~--