W3C home > Mailing lists > Public > public-qt-comments@w3.org > February 2005

Regarding dynamic execution of expressions & security (Was: Re: [F&O] Casting to xs:NOTATION, xs:QName not clarified)

From: Laurens Holst <lholst@students.cs.uu.nl>
Date: Thu, 03 Feb 2005 09:29:48 +0100
Message-ID: <4201E0FC.7070208@students.cs.uu.nl>
To: Michael Rys <mrys@microsoft.com>
Cc: public-qt-comments@w3.org

Michael Rys wrote:
> The problem is that in some implementation environments, dynamic
> execution of expressions is considered a security risk and it is not
> clear how this will relate to static typing of the query and some other
> issues. The WG has decided to not standardize this aspect in this
> version to gain more experience with the existing language feature and
> to maybe adding it at a later point (vNext).

A small comment regarding the security risk argument: XSLT allows access 
to external documents using the document() function. These document URIs 
are regular strings, which can be taken from the document (and 
frequently are, e.g. when rendering multiple documents based on an XML 
file with a TOC), and are not necessarily limited to local paths. This 
basically allows access to arbitrary external documents and IMHO this is 
a much larger security risk, yet that didnít prevent standardisation.

My 2Ę.


~Grauw

-- 
Ushiko-san! Kimi wa doushite, Ushiko-san nan da!!
Received on Thursday, 3 February 2005 08:30:36 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:45:23 UTC