[Bug 16151] Security concern about xsl:evaluate

https://www.w3.org/Bugs/Public/show_bug.cgi?id=16151

--- Comment #2 from Eric van der Vlist <vdv@dyomedea.com> 2012-02-28 17:44:52 UTC ---
(In reply to comment #1)
> The current specification uses an instruction xsl:evaluate, with nested
> xsl:with-param elements to define the values of any variables used in the
> constructed XPath expression. The expression does not have access to the
> variables defined in the stylesheet, other than any variables explicitly passed
> using xsl:with-param.
> 
> Using an instruction rather than a function also allows control over other
> aspects of the context such as the namespace bindings and the base URI. (We
> specified xsl:evaluate before we had maps, which is perhaps why we don't pass
> the parameters as a map).

An instruction is also more coherent with function definitions.

I wonder how you can return nodes, unless maybe if the instruction is a
declaration (like an SQL prepare statement) separate from the actual call but I
guess I'd rather wait for the next Working Draft than make blind guesses!

> Of course, the risk of injection remains if people (rather than using
> parameters) use string concatenation to construct the expression, without
> adequate checking. I think it's entirely appropriate to include a warning of
> the risks.

Yes. 

Thanks,

Eric

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Tuesday, 28 February 2012 17:45:00 UTC