- From: Michael(tm) Smith <mikes@opera.com>
- Date: Wed, 15 Nov 2006 05:23:01 +0900
- To: public-wsc-wg@w3.org
- Message-ID: <20061114202300.GI4446@malware>
Stephen Farrell <stephen.farrell@cs.tcd.ie>, 2006-11-14 19:28 +0000: > XPath and similar languages are effectively almost programming > languages and can therefore potentially badly affect the end > user. How, exactly? XPath itself is an just an addressing mechanism. that can be used by other languages (such as XSLT). It's not, on its own, a Turing-complete programming language as Javascript is. I know there are security considerations around XSLT, which has a document() function and xsl:import and xsl:include elements (which all can potentially enable an XSLT stylesheet to load a document from an arbitrary URI). > In contrast with Java/Javascript these are less likely > to have separate content types or browser settings/controls > that the user can set and understand. True. There is no "Disable XPath" option in any browser that I know of. I think there may not even be a "Disable XSLT" option in any of the browser that have XSLT support. > I don't claim to know the answer, but the question relates to > these examples of sort-of-active content - should WSC consider > these in the same way as Java/Javascript or not? And either way, > what's the boundary between passive and active content? (I > assume we'll need some description of "active" content that > users have to be more careful about.) > > These technologies may also be worth considering if we think > of the user's machine a a DDoS attack vector. (Attack web > server, modify content to include dodgy XPath expressions that > attack someone. Innocent browsers rip away.) Can you give a specific example of a dodgy XPath expression and how it might be used to do something malicious. --Mike -- Michael(tm) Smith Opera Software, Tokyo xmpp:smith@sideshowbarker.net irc://irc.freenode.net/mobile-web
Received on Tuesday, 14 November 2006 20:23:17 UTC