RE: [xsl] The evaluate function

["Matt G." <matt_g_@xxxxxxxxxxx>]

> Apart from all the issues mentioned by Mr.Kay, an eval()
> function makes it rather easy to open security holes in
> a style sheet.

Indeed, you have cited some serious problems.  However, I disagree with you 
on their exact nature and origin.


> For example, once you figured out you can put a XPath into
> the nice "Enter your query here" field which is passed
> directly to an eval() function, what will stop you from
> entering document("file:///C/Documents and 
> >Settings/Administrator/preferences.xml")?

Why would someone allow users to pass input directly to an XPath evaluate 
function?  This seems to me like a bad idea.  Furthermore, proper use of 
permissions should prevent access to system configuration files.


> Or, if extension functions may be called indiscriminately:
>  mswin:delete("C:\*.*","recursive")

What is such an extension function even doing in an XSLT processor!?  
Furthermore, it seems similarly absurd for an admin not to configure the 
system's permissions to preclude such things.

I don't think it makes sense to handicap a standard, based on 
vulnerabilities introduced by nonstandard extensions used on poorly 
administrated systems.


Matthew Gruenke


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list