Lists Home |
Date Index |
Bill de hÓra wrote,
> The notion of treating XML as active content is fascinating (and a
> bit scary). I wonder if you could set up a for loop for a DOS via
> an XSLT sheet?
An XSLT stylesheet has intended programmatic semantics (it's code, for
all that it's sprinkled with angle brackets and declarative rather than
imperative), so pretty clearly, IMO, it has to be treated as active
content. A comparisons with PostScript might be in order here, and it's
not news that untrusted PostScript documents can be dangerous.
The more worrying cases are documents which don't have any such intended
semantics (ie. just dumb data), but get them willy nilly thanks to the
implicit retrieval semantics of validation. My guess is that many,
many, developers will assume that such things are just as safe as
text/plain is typically taken to be, without anticipating the effects
This is likely to be particularly so in server as opposed to client
applications: that a server designed to only _consume_ incoming
documents might be tricked into making outgoing requests to arbitrary
hosts is probably completely unexpected.