- From: Norman Walsh <ndw@nwalsh.com>
- Date: Tue, 02 Jun 2015 15:12:21 +0100
- To: XProc Dev <xproc-dev@w3.org>
- Message-ID: <87vbf6urlm.fsf@nwalsh.com>
Conal Tuohy <conal.tuohy@gmail.com> writes: > I had a vague but false memory that the p:xslt step had an option to > enforce a kind of "safe mode". Alas it looks like wishful thinking. XML Calabash does implement a "safe mode", http://xmlcalabash.com/docs/reference/cfg.safe-mode.html but I don't make any guarantees. > It seems to me that to perform secure XSLT processing one would need > to be able to supply a URI resolver to prevent access to the local > file system, Yes, I'll add a bug to enable that (it might already be enabled, but a quick grep didn't convince me.) > and to disable any XSLT extension functions that might I don't know how practical that is, but I agree you'd need to. > pose a risk, and perhaps even to enforce a timeout on XSLT execution. That's also doable, I suppose. Be seeing you, norm -- Norman Walsh Lead Engineer MarkLogic Corporation Phone: +1 512 761 6676 www.marklogic.com
Received on Tuesday, 2 June 2015 14:12:50 UTC