- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 14 Nov 2006 15:25:50 -0500
- To: "Michael(tm) Smith" <mikes@opera.com>
- Cc: public-wsc-wg@w3.org
(This referred to ACTION-3. Please make sure you do quote the action identifier when responding.) -- Thomas Roessler, W3C <tlr@w3.org> On 2006-11-15 05:23:01 +0900, Michael(tm) Smith wrote: > From: "Michael(tm) Smith" <mikes@opera.com> > To: public-wsc-wg@w3.org > Date: Wed, 15 Nov 2006 05:23:01 +0900 > Subject: Re: XPath/XQuery and all that > List-Id: <public-wsc-wg.w3.org> > X-Spam-Level: > X-Archived-At: http://www.w3.org/mid/20061114202300.GI4446@malware > > Stephen Farrell <stephen.farrell@cs.tcd.ie>, 2006-11-14 19:28 +0000: > > > XPath and similar languages are effectively almost programming > > languages and can therefore potentially badly affect the end > > user. > > How, exactly? XPath itself is an just an addressing mechanism. > that can be used by other languages (such as XSLT). It's not, on > its own, a Turing-complete programming language as Javascript is. > > I know there are security considerations around XSLT, which has > a document() function and xsl:import and xsl:include elements > (which all can potentially enable an XSLT stylesheet to load a > document from an arbitrary URI). > > > In contrast with Java/Javascript these are less likely > > to have separate content types or browser settings/controls > > that the user can set and understand. > > True. There is no "Disable XPath" option in any browser that I > know of. I think there may not even be a "Disable XSLT" option in > any of the browser that have XSLT support. > > > I don't claim to know the answer, but the question relates to > > these examples of sort-of-active content - should WSC consider > > these in the same way as Java/Javascript or not? And either way, > > what's the boundary between passive and active content? (I > > assume we'll need some description of "active" content that > > users have to be more careful about.) > > > > These technologies may also be worth considering if we think > > of the user's machine a a DDoS attack vector. (Attack web > > server, modify content to include dodgy XPath expressions that > > attack someone. Innocent browsers rip away.) > > Can you give a specific example of a dodgy XPath expression and > how it might be used to do something malicious. > > --Mike > > -- > Michael(tm) Smith > Opera Software, Tokyo > xmpp:smith@sideshowbarker.net > irc://irc.freenode.net/mobile-web
Received on Tuesday, 14 November 2006 20:26:00 UTC