It's also worth advising that untrusted queries should not be allowed to execute external (extension) functions or to call the doc() or collection() function with a file:/// URI. Many sites (including W3C and Google) have been known to set up services that allowed execution of untrusted XSLT stylesheets without inhibiting such features. Michael Kay > -----Original Message----- > From: public-qt-comments-request@w3.org > [mailto:public-qt-comments-request@w3.org] On Behalf Of Dan Connolly > Sent: 28 November 2005 21:54 > To: public-qt-comments@w3.org > Cc: Thomas Roessler > Subject: XQuery spec doesn't warn about injection attacks > > > SQL injection attacks are a well-known risk. Surely there's an analog > for XQuery. > Please warn about them. > > http://www.w3.org/TR/xquery/#id-security-considerations > > (I spent (another) 10 minutes trying to get my bugzilla > account working > and failed. Rather > than punt to the someday pile, I'm sending mail. Sorry.) > > -- > Dan Connolly, W3C http://www.w3.org/People/Connolly/ > > >Received on Monday, 28 November 2005 22:38:25 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:14:42 GMT