- From: <bugzilla@jessica.w3.org>
- Date: Fri, 16 Mar 2012 10:05:35 +0000
- To: public-qt-comments@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=16151
--- Comment #4 from Michael Kay <mike@saxonica.com> 2012-03-16 10:05:31 UTC ---
I have drafted the following (non-normative) Note which I propose adding to the
spec:
<note><p>Stylesheet authors need to be aware of the security risks associated
with the
use of <elcode>xsl:evaluate</elcode>. The instruction should not be
used to execute
code from an untrusted source. To avoid the risk of code injection,
user-supplied
data should never be inserted into the expression using string
concatenation, but
should always be referenced by use of parameters. Implementations
<rfc2119>should</rfc2119>
provide mechanisms allowing calls on extension functions to be
disabled.</p></note>
--
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Friday, 16 March 2012 10:05:50 UTC