- From: <bugzilla@jessica.w3.org>
- Date: Tue, 28 Feb 2012 17:30:49 +0000
- To: public-qt-comments@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=16151 --- Comment #1 from Michael Kay <mike@saxonica.com> 2012-02-28 17:30:49 UTC --- The current specification uses an instruction xsl:evaluate, with nested xsl:with-param elements to define the values of any variables used in the constructed XPath expression. The expression does not have access to the variables defined in the stylesheet, other than any variables explicitly passed using xsl:with-param. Using an instruction rather than a function also allows control over other aspects of the context such as the namespace bindings and the base URI. (We specified xsl:evaluate before we had maps, which is perhaps why we don't pass the parameters as a map). Of course, the risk of injection remains if people (rather than using parameters) use string concatenation to construct the expression, without adequate checking. I think it's entirely appropriate to include a warning of the risks. -- Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Tuesday, 28 February 2012 17:30:55 UTC