- From: Rui Lopes <rlopes@di.fc.ul.pt>
- Date: Fri, 30 Nov 2007 15:56:27 +0000
- To: XMLProc List <public-xml-processing-model-wg@w3.org>
Received on Friday, 30 November 2007 15:56:43 UTC
More dangerous than p:load, p:store or p:http-request, the p:exec is prone to abuse, especially on importing externally-defined pipeline libraries. We should say something about it either in Section 2.9 (Security Considerations), or in the step declaration (7.2.1). p:xslt has the same problem, as some XSLT implementations (e.g., Saxon) afford embedding and executing arbitrary Java methods. p:xquery might be prone to the same issue. Cheers, Rui
Received on Friday, 30 November 2007 15:56:43 UTC