- From: Matthew Dovey <matthew.dovey@las.ox.ac.uk>
- Date: Mon, 22 Apr 2002 11:35:36 +0100
- To: "Sebastian Hammer" <quinn@indexdata.dk>, "Robert Sanderson" <azaroth@liverpool.ac.uk>
- Cc: <www-zig@w3.org>
> Yes.. having thought about it some more, I definitely agree. XSLT is what > we need for Espec'ing. > > Will we need to limit some of the esoteric functionality, like loading > external stylesheets and documents? Is there a notion of a security > sandbox > for XSLT? Not that I know of. Although by completely ruling out eternal extensions this may make things safer. We are however, as both you and Dan point out sending an arbitrary script to a server, so this needs careful implementation. Even if we lock down to an XSLT subset which can't be abused by hackers we may be open to denial of service attacks by someone sending an XSLT with an infinite loop etc. I think this is one of the reasons we dropped this from SRW at an early stage... Matthew
Received on Monday, 22 April 2002 06:35:37 UTC