Re: "Safe Mode" processing for XSLT

Conal Tuohy <conal.tuohy@gmail.com> writes:
> I had a vague but false memory that the p:xslt step had an option to
> enforce a kind of "safe mode". Alas it looks like wishful thinking.

XML Calabash does implement a "safe mode",
http://xmlcalabash.com/docs/reference/cfg.safe-mode.html
but I don't make any guarantees.

> It seems to me that to perform secure XSLT processing one would need
> to be able to supply a URI resolver to prevent access to the local
> file system,

Yes, I'll add a bug to enable that (it might already be enabled, but a
quick grep didn't convince me.)

> and to disable any XSLT extension functions that might

I don't know how practical that is, but I agree you'd need to.

> pose a risk, and perhaps even to enforce a timeout on XSLT execution.

That's also doable, I suppose.

                                        Be seeing you,
                                          norm

-- 
Norman Walsh
Lead Engineer
MarkLogic Corporation
Phone: +1 512 761 6676
www.marklogic.com

Received on Tuesday, 2 June 2015 14:12:50 UTC