- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Fri, 17 Nov 2006 11:25:12 +0000
- To: George Staikos <staikos@kde.org>
- Cc: W3 Work Group <public-wsc-wg@w3.org>
George Staikos wrote: > > On 14-Nov-06, at 3:37 PM, Stephen Farrell wrote: > >> >> Michael(tm) Smith wrote: >>> Stephen Farrell <stephen.farrell@cs.tcd.ie >>> <mailto:stephen.farrell@cs.tcd.ie>>, 2006-11-14 19:28 +0000: >>>> XPath and similar languages are effectively almost programming >>>> languages and can therefore potentially badly affect the end >>>> user. >>> How, exactly? XPath itself is an just an addressing mechanism. >>> that can be used by other languages (such as XSLT). It's not, on >>> its own, a Turing-complete programming language as Javascript is. >> >> My (poor) understanding of it is that it can be made to loop and >> has variables, but perhaps that's only in conjunction with XSLT >> or something. > > Keep in mind that one could implement all these XML technologies in > JavaScript, so their existence is irrelevant, and conceptually they're > irrelevant. The question is only of their implementation, and that's > not in scope for any sort of standards group. Implementation details > belong with the developer and are generally solved with software updates. But: If the web security context doesn't consider these technologies in the same way as Java/Javascript/ActiveX/whatever, then there's a hole. I don't know if we can do much about it, but recognising its existence seems to me to be worthwhile. Stephen.
Received on Friday, 17 November 2006 15:00:45 UTC