[Bug 16151] Security concern about xsl:evaluate from bugzilla@jessica.w3.org on 2012-05-10 (public-qt-comments@w3.org from May 2012)

From: <bugzilla@jessica.w3.org>
Date: Thu, 10 May 2012 16:43:23 +0000
To: public-qt-comments@w3.org
Message-Id: <E1SSWSZ-0006xM-Kl@jessica.w3.org>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=16151

--- Comment #5 from Michael Kay <mike@saxonica.com> 2012-05-10 16:43:23 UTC ---
Corrected version of the proposed note:

I have drafted the following (non-normative) Note which I propose adding to the
spec:

<note><p>Stylesheet authors need to be aware of the security risks associated
with the  use of <elcode>xsl:evaluate</elcode>. The instruction should not be
used to execute  code from an untrusted source. To avoid the risk of code
injection,
user-supplied data should never be inserted into the expression using string
concatenation, but  should always be referenced by use of parameters.
Implementations
<rfc2119>should</rfc2119> provide mechanisms allowing calls on
<elcode>xsl:evaluate</elcode> to be disabled.</p></note>

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Thursday, 10 May 2012 16:43:29 UTC