- From: Michael Kay <mhk@mhk.me.uk>
- Date: Mon, 28 Nov 2005 22:37:37 -0000
- To: "'Dan Connolly'" <connolly@w3.org>, <public-qt-comments@w3.org>
- Cc: "'Thomas Roessler'" <tlr@w3.org>
It's also worth advising that untrusted queries should not be allowed to execute external (extension) functions or to call the doc() or collection() function with a file:/// URI. Many sites (including W3C and Google) have been known to set up services that allowed execution of untrusted XSLT stylesheets without inhibiting such features. Michael Kay > -----Original Message----- > From: public-qt-comments-request@w3.org > [mailto:public-qt-comments-request@w3.org] On Behalf Of Dan Connolly > Sent: 28 November 2005 21:54 > To: public-qt-comments@w3.org > Cc: Thomas Roessler > Subject: XQuery spec doesn't warn about injection attacks > > > SQL injection attacks are a well-known risk. Surely there's an analog > for XQuery. > Please warn about them. > > http://www.w3.org/TR/xquery/#id-security-considerations > > (I spent (another) 10 minutes trying to get my bugzilla > account working > and failed. Rather > than punt to the someday pile, I'm sending mail. Sorry.) > > -- > Dan Connolly, W3C http://www.w3.org/People/Connolly/ > > >
Received on Monday, 28 November 2005 22:38:25 UTC