- From: Paul Grosso <pgrosso@arbortext.com>
- Date: Wed, 24 May 2000 13:36:24 -0500
- To: <xml-uri@w3.org>
At 14:02 2000 05 24 -0400, Tim Berners-Lee wrote: >Supose I use XSLT to filter a document to ensure it doesn't have >any of an http://example.com/detonator namespace in it, because processing >this would allow the document to destroy the chemical plant. >The XSLT sees "/detonator" in an incoming document >http://example.com/doc.xml >but it does not notice it as it does not absolutize it. The checked result >is passed to the main control system. However, when >this "upper layer" runs it absolutizes it to find out what in upper layer >terms it really means, and >instantiates a chemical plant handler to handle the http://example.com/foo. >Bang. > >Is this or is this not a problem? Either you shouldn't rely on XSLT to be doing such filtering (who says XSLT must be able to support such filtering?) or you should have written you XSLT more carefully to do the necessary absolutization so that it wouldn't let such occurrences through. After all, it's going to let http://example.com/./detonator through and blow up your plant anyway.
Received on Wednesday, 24 May 2000 14:36:26 UTC