- From: Laurens Holst <lholst@students.cs.uu.nl>
- Date: Thu, 03 Feb 2005 09:29:48 +0100
- To: Michael Rys <mrys@microsoft.com>
- Cc: public-qt-comments@w3.org
Michael Rys wrote: > The problem is that in some implementation environments, dynamic > execution of expressions is considered a security risk and it is not > clear how this will relate to static typing of the query and some other > issues. The WG has decided to not standardize this aspect in this > version to gain more experience with the existing language feature and > to maybe adding it at a later point (vNext). A small comment regarding the security risk argument: XSLT allows access to external documents using the document() function. These document URIs are regular strings, which can be taken from the document (and frequently are, e.g. when rendering multiple documents based on an XML file with a TOC), and are not necessarily limited to local paths. This basically allows access to arbitrary external documents and IMHO this is a much larger security risk, yet that didn’t prevent standardisation. My 2¢. ~Grauw -- Ushiko-san! Kimi wa doushite, Ushiko-san nan da!!
Received on Thursday, 3 February 2005 08:30:36 UTC