On Fri, 2007-03-09 at 10:29 +0000, Jeremy Carroll wrote: > > Draft response: > =========== > Thank you for your comment. > > The particular operation we had in mind was from XSLT2: xsl:result-document. > > Perhaps we should make this more explicit. > > The rewrite of this section was motivated by implementer feedback. > Particularly concerning test security3 in > http://jena.sourceforge.net/test/grddl/ > which, with a little imagination, could be modified so that malicious > code took control of an overly trusting machine (by writing > appropriately to a key OS file). > > Please reply indicating whether this adequately addresses your comment. > > ============ That works for me. I see in off-list mail (of 10 Mar 2007 19:43:34 -0500) that Harry concurs. Please do send it; i.e. find out if we can satisfy him without making any spec changes. This doesn't preclude us from making clarifying changes, if WG participants prefer. > Process wise: I am assuming that in this Last Call phase responses to > comments should only be sent by the editor or the chairs, or on their > instruction. Right. > We could consider the following actions in response: > a) migrate some of the Jena security tests into the WG test area > - since many use XSLT2 and/or saxon specific features this > would be more illustrative of the concerns than directlt > useful as tests > b) make it more explicit which of the operations mentioned in > section 8 are from XSLT1 and which from XSLT2 > c) add explicit mention of xsl:result-document > > If we do wish to do any of these, the text above would need modification. > e.g. replace last line with: > [[ > We are still considering what changes, if any, we need to make to > clarify this point, and we will reply again when we have decided. > ]] > > Jeremy -- Dan Connolly, W3C http://www.w3.org/People/Connolly/ D3C2 887B 0F92 6005 C541 0875 0F91 96DE 6E52 C29EReceived on Wednesday, 14 March 2007 13:41:29 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:11:48 GMT