Re: "Safe Mode" processing for XSLT

Hi Conal,
having thought for a while, another solution came up to me: MorganaXProc has a pluggable connector to the XSLT processor used running a pipeline. The connection to Saxon is provided by class SaxonXSLTConnector which delivers an instance of SaxonXSLTTemplate. You could subclass the later and provide your own implementation for methods „setURIResolver“ and „setCollectionURIResolver“. Normally here MorganaXProc’s filesystem and security manager is used, but you could provide an implementation which allows no access to any uri at all.

A description of the pluggable connector for xslt processors is here:

I have not tested this idea and I do not know, whether this is a possible solution for your problem. As a result of this strategy, NO xslt template in your pipeline will be able to access any resource. It applies to all instances of p:xslt in your pipeline, but all other steps have access to resources allowed in the configuration for the security system.

So this does not provide a discrimination between good and (possibly) harmful stylesheets in one pipeline, because all styleheets are treated as harmful. 

And, as Norm said: There is no guaranty that this mechanism can not be bypassed in some way.

Greetings from Germany,
Achim Berndzen

> Am 03.06.2015 um 10:24 schrieb Conal Tuohy <>:
> To answer my own question about a "safe mode" for running user-contributed XSLT, it seems that MorganaXProc has a more general security system that could be used:
> At first glance it looks like the Morgana "safe mode" applies too generally (in that it applies to an entire pipeline rather than just to a certain set of p:xslt steps), but in a web service environment, you could run a second instance of MorganaXProc, configured to be as safe as possible, and delegate any "safe mode" XSLT transformations to that service.
> On 2 June 2015 at 17:19, Conal Tuohy <> wrote:
> I have been writing some web applications in XProc, using Calabash, and I've struck the issue that user-supplied (uploaded) XSLT transforms can present a security risk. Since XSLT is Turing complete it can provide a powerful extension mechanism for an XML-processing app, but you need to tightly control access to the web app itself unless you can run such XSLT in a sandbox.
> I had a vague but false memory that the p:xslt step had an option to enforce a kind of "safe mode". Alas it looks like wishful thinking.
> It seems to me that to perform secure XSLT processing one would need to be able to supply a URI resolver to prevent access to the local file system, and to disable any XSLT extension functions that might pose a risk, and perhaps even to enforce a timeout on XSLT execution.
> Has anyone implemented anything like this, either in Calabash or some other processor?
> Conal

Received on Wednesday, 3 June 2015 16:19:18 UTC