W3C home > Mailing lists > Public > public-grddl-wg@w3.org > March 2007

draft response to Elliotte Harold

From: Jeremy Carroll <jjc@hpl.hp.com>
Date: Fri, 09 Mar 2007 10:29:34 +0000
Message-ID: <45F1370E.7090202@hpl.hp.com>
To: GRDDL Working Group <public-grddl-wg@w3.org>


Draft response:
===========
Thank you for your comment.

The particular operation we had in mind was from XSLT2: xsl:result-document.

Perhaps we should make this more explicit.

The rewrite of this section was motivated by implementer feedback.
Particularly concerning test security3 in
   http://jena.sourceforge.net/test/grddl/
which, with a little imagination, could be modified so that malicious 
code took control of an overly trusting machine (by writing 
appropriately to a key OS file).

Please reply indicating whether this adequately addresses your comment.

============

Process wise: I am assuming that in this Last Call phase responses to 
comments should only be sent by the editor or the chairs, or on their 
instruction.

We could consider the following actions in response:
a) migrate some of the Jena security tests into the WG test area
     - since many use XSLT2 and/or saxon specific features this
       would be more illustrative of the concerns than directlt
       useful as tests
b) make it more explicit which of the operations mentioned in
    section 8 are from XSLT1 and which from XSLT2
c) add explicit mention of xsl:result-document

If we do wish to do any of these, the text above would need modification.
e.g. replace last line with:
[[
We are still considering what changes, if any, we need to make to
clarify this point, and we will reply again when we have decided.
]]

Jeremy
Received on Friday, 9 March 2007 10:30:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:52:36 UTC