[Bug 30027] New: MIME type appendix update from bugzilla@jessica.w3.org on 2016-12-01 (public-qt-comments@w3.org from December 2016)

From: <bugzilla@jessica.w3.org>
Date: Thu, 01 Dec 2016 14:18:17 +0000
To: public-qt-comments@w3.org
Message-ID: <bug-30027-523@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=30027

            Bug ID: 30027
           Summary: MIME type appendix update
           Product: XPath / XQuery / XSLT
           Version: Member-only Editors Drafts
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: XQuery 3.1
          Assignee: jonathan.robie@gmail.com
          Reporter: liam@w3.org
        QA Contact: public-qt-comments@w3.org
  Target Milestone: ---

I suggest adding in G.6 Security Considerations 

At the end of the first paragaph (Queries written in XQuery may cause
arbitrary...) add,

[[
The XPath 3.1 fn:transform() functions allows calls to URI-identified XSLT
transformations which may in turn call external system functions and access or
write to the file system. The fn:transform() function should be sandboxed or
disabled if untrusted queries are run.


]]

The appendix already mentions fn:put() so no change needed there.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Thursday, 1 December 2016 14:18:24 UTC