[Bug 16151] Security concern about xsl:evaluate

https://www.w3.org/Bugs/Public/show_bug.cgi?id=16151

--- Comment #4 from Michael Kay <mike@saxonica.com> 2012-03-16 10:05:31 UTC ---
I have drafted the following (non-normative) Note which I propose adding to the
spec:

<note><p>Stylesheet authors need to be aware of the security risks associated
with the
            use of <elcode>xsl:evaluate</elcode>. The instruction should not be
used to execute
            code from an untrusted source. To avoid the risk of code injection,
user-supplied
            data should never be inserted into the expression using string
concatenation, but
            should always be referenced by use of parameters. Implementations
<rfc2119>should</rfc2119>
            provide mechanisms allowing calls on extension functions to be
disabled.</p></note>

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Friday, 16 March 2012 10:05:50 UTC