- From: Jeremy Carroll <jjc@hpl.hp.com>
- Date: Fri, 09 Mar 2007 10:29:34 +0000
- To: GRDDL Working Group <public-grddl-wg@w3.org>
Draft response:
===========
Thank you for your comment.
The particular operation we had in mind was from XSLT2: xsl:result-document.
Perhaps we should make this more explicit.
The rewrite of this section was motivated by implementer feedback.
Particularly concerning test security3 in
http://jena.sourceforge.net/test/grddl/
which, with a little imagination, could be modified so that malicious
code took control of an overly trusting machine (by writing
appropriately to a key OS file).
Please reply indicating whether this adequately addresses your comment.
============
Process wise: I am assuming that in this Last Call phase responses to
comments should only be sent by the editor or the chairs, or on their
instruction.
We could consider the following actions in response:
a) migrate some of the Jena security tests into the WG test area
- since many use XSLT2 and/or saxon specific features this
would be more illustrative of the concerns than directlt
useful as tests
b) make it more explicit which of the operations mentioned in
section 8 are from XSLT1 and which from XSLT2
c) add explicit mention of xsl:result-document
If we do wish to do any of these, the text above would need modification.
e.g. replace last line with:
[[
We are still considering what changes, if any, we need to make to
clarify this point, and we will reply again when we have decided.
]]
Jeremy
Received on Friday, 9 March 2007 10:30:04 UTC