Re: "Safe Mode" processing for XSLT

To answer my own question about a "safe mode" for running user-contributed
XSLT, it seems that MorganaXProc has a more general security system that
could be used:

At first glance it looks like the Morgana "safe mode" applies too generally
(in that it applies to an entire pipeline rather than just to a certain set
of p:xslt steps), but in a web service environment, you could run a second
instance of MorganaXProc, configured to be as safe as possible, and
delegate any "safe mode" XSLT transformations to that service.

On 2 June 2015 at 17:19, Conal Tuohy <> wrote:

> I have been writing some web applications in XProc, using Calabash, and
> I've struck the issue that user-supplied (uploaded) XSLT transforms can
> present a security risk. Since XSLT is Turing complete it can provide a
> powerful extension mechanism for an XML-processing app, but you need to
> tightly control access to the web app itself unless you can run such XSLT
> in a sandbox.
> I had a vague but false memory that the p:xslt step had an option to
> enforce a kind of "safe mode". Alas it looks like wishful thinking.
> It seems to me that to perform secure XSLT processing one would need to be
> able to supply a URI resolver to prevent access to the local file system,
> and to disable any XSLT extension functions that might pose a risk, and
> perhaps even to enforce a timeout on XSLT execution.
> Has anyone implemented anything like this, either in Calabash or some
> other processor?
> Conal

Received on Wednesday, 3 June 2015 08:25:38 UTC