- From: Norman Walsh <ndw@nwalsh.com>
- Date: Tue, 02 Jun 2015 15:12:21 +0100
- To: XProc Dev <xproc-dev@w3.org>
- Message-ID: <87vbf6urlm.fsf@nwalsh.com>
Conal Tuohy <conal.tuohy@gmail.com> writes:
> I had a vague but false memory that the p:xslt step had an option to
> enforce a kind of "safe mode". Alas it looks like wishful thinking.
XML Calabash does implement a "safe mode",
http://xmlcalabash.com/docs/reference/cfg.safe-mode.html
but I don't make any guarantees.
> It seems to me that to perform secure XSLT processing one would need
> to be able to supply a URI resolver to prevent access to the local
> file system,
Yes, I'll add a bug to enable that (it might already be enabled, but a
quick grep didn't convince me.)
> and to disable any XSLT extension functions that might
I don't know how practical that is, but I agree you'd need to.
> pose a risk, and perhaps even to enforce a timeout on XSLT execution.
That's also doable, I suppose.
Be seeing you,
norm
--
Norman Walsh
Lead Engineer
MarkLogic Corporation
Phone: +1 512 761 6676
www.marklogic.com
Received on Tuesday, 2 June 2015 14:12:50 UTC