[xsl] XSLT 2.0: Security concerns

[Justin Johansson <procode@xxxxxxxxxx>]

I'm wanting to write some live tutorials on XSLT/XPath 2.0 to place on a
new website that is
currently under construction.

By live, I mean in the same manner that W3Schools does with "Try-It
Yourself" CSS.
http://www.w3schools.com/css/default.asp

So what I intend to give my audience on a "Try-It Yourself" XSLT page is an
HTML form with two text
boxes, once for editing XML source data and one for editing XSLT code.
Both edit boxes will be pre-
populated with data & code appropriate to the specific tutorial.

Upon hitting the submit button my Tomcat server will take the XML and XSLT,
execute the transform
on the server (using Saxon 8b of course) and display the result of the
transform back to the user.

One security concern is that someone may enter XPath code contain the
document function and
access (read) files on the server which are not for public consumption.
The solution to this is
to check the submitted code and disallow any transform containing the the
document() function.

Another concern is that someone might try to submit a stylesheet containing
Java extensions
and attempt to something really nasty.  To this end, the submitted code is
restricted to being
just the body of an XSL stylesheet .. i.e. the server will wrap the code in
an xsl:stylesheet
element.

Yet another.  Long running stylesheets or infinite loops.  That's easy just
kill the thread if it
doesn't terminate after a certain amount of time, say, 100 milliseconds.
There's still a lot
of XSLT experimenting they can do in this amount of time.

Do people have any advice on whether there are any other security concerns
to be aware of?

Justin Johansson
Freelance XML / XSLT / XQuery Developer
Australia

procode(at)tpg(dot)com(dot)au