"Safe Mode" processing for XSLT

I have been writing some web applications in XProc, using Calabash, and
I've struck the issue that user-supplied (uploaded) XSLT transforms can
present a security risk. Since XSLT is Turing complete it can provide a
powerful extension mechanism for an XML-processing app, but you need to
tightly control access to the web app itself unless you can run such XSLT
in a sandbox.

I had a vague but false memory that the p:xslt step had an option to
enforce a kind of "safe mode". Alas it looks like wishful thinking.

It seems to me that to perform secure XSLT processing one would need to be
able to supply a URI resolver to prevent access to the local file system,
and to disable any XSLT extension functions that might pose a risk, and
perhaps even to enforce a timeout on XSLT execution.

Has anyone implemented anything like this, either in Calabash or some other
processor?


Conal

Received on Tuesday, 2 June 2015 07:20:20 UTC