W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: XSLT style sheets

From: Brian Smith <bsmith@mozilla.com>
Date: Tue, 14 Jun 2011 12:16:34 -0700 (PDT)
To: Brad Hill <bhill@paypal-inc.com>
Cc: public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>
Message-ID: <974507233.204431.1308078994148.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
Brad Hill wrote:
> I'm also concerned here that the XSLTProcessor.importStylesheet()
> appears to allow the stylesheet to be loaded from any DOM node,
> including in the current document? This is equivalent to an inline
> <script> block and would also have to be subject to the same CSP
> restrictions that inline script is.

JavaScipt can pull out any content from the DOM and eval() it, which seems like basically the same problem. With eval(), you are using the JavaScript interpreter; with importStylesheet(), you are using the XSLT processor. The directive that restricts eval() should restrict importStylesheet().

Received on Tuesday, 14 June 2011 19:17:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC