W3C home > Mailing lists > Public > xml-uri@w3.org > May 2000

Re: which layer for URI processing?

From: Paul Grosso <pgrosso@arbortext.com>
Date: Wed, 24 May 2000 13:36:24 -0500
Message-Id: <3.0.32.20000524133618.00e367e0@pophost.arbortext.com>
To: <xml-uri@w3.org>
At 14:02 2000 05 24 -0400, Tim Berners-Lee wrote:
>Supose I use XSLT to filter a document to ensure it doesn't have
>any of an http://example.com/detonator namespace in it, because processing
>this would allow the document to destroy the chemical plant.
>The XSLT sees "/detonator" in an incoming document
>http://example.com/doc.xml
>but it does not notice it as it does not absolutize it. The checked result
>is passed to the main control system. However, when
>this "upper layer" runs it absolutizes it to find out what in upper layer
>terms it really means, and
>instantiates a chemical plant handler to handle the http://example.com/foo.
>Bang.
>
>Is this or is this not a problem?

Either you shouldn't rely on XSLT to be doing such filtering
(who says XSLT must be able to support such filtering?) or you 
should have written you XSLT more carefully to do the necessary
absolutization so that it wouldn't let such occurrences through.

After all, it's going to let http://example.com/./detonator through
and blow up your plant anyway.
Received on Wednesday, 24 May 2000 14:36:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:42 UTC