- From: Ivan Herman <ivan@w3.org>
- Date: Thu, 22 May 2014 09:28:48 +0200
- To: Yakov Shafranovich <yakov-ietf@shaftek.org>
- Cc: W3C CSV on the Web Working Group <public-csv-wg@w3.org>
Received on Thursday, 22 May 2014 07:29:18 UTC
Yakov, I think it is important to keep track of this, so I added a new issue: https://github.com/w3c/csvw/issues/8 Ivan On 22 May 2014, at 05:21 , Yakov Shafranovich <yakov-ietf@shaftek.org> wrote: > One of the things I brought up during today's call is something I > wanted to share with the list as well - security. Specifically, in > regards to the conversion between CSV and other formats, especially > where templates and languages are involved, we need to keep security > in mind. > > IETF has an example of what they use here: > > http://tools.ietf.org/html/rfc3552 > > For example, if we allow users to publish a template in XSTL, regex, > etc. those consuming the template need to be aware that it may be > malicious. Some examples are including files from the file system, > running regex expressions that may cause DOS attacks, etc. > Additionally, allowing URLs to point to outside systems may be an > issue as well. > > I believe there is a security review process via the web security WG > for W3C standards but I am not familiar enough with it: > > http://www.w3.org/Security/wiki/IG/W3C_spec_review > > Just my two cents, > Yakov > ---- Ivan Herman, W3C Digital Publishing Activity Lead Home: http://www.w3.org/People/Ivan/ mobile: +31-641044153 GPG: 0x343F1A3D WebID: http://www.ivan-herman.net/foaf#me
Received on Thursday, 22 May 2014 07:29:18 UTC