xml-dev - Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a r

Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a r

[ Lists Home | Date Index | Thread Index ]

To: <michael.h.kay@ntlworld.com>
Subject: Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a rare broadside)
From: Henrik Motakef <henrik.motakef@web.de>
Date: 10 Jun 2002 22:30:35 +0200
Cc: "'Simon St.Laurent'" <simonstl@simonstl.com>, <xml-dev@lists.xml.org>
In-reply-to: <000701c2108c$7c03e0d0$6401a8c0@pcukmka>
References: <000701c2108c$7c03e0d0$6401a8c0@pcukmka>
Sender: henrik.motakef@web.de
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2

"Michael Kay" <michael.h.kay@ntlworld.com> writes:

> I see that David's talk mentions the dangers of referring to external
> XSLT stylesheets. Until recently the W3C site provided a servlet which
> would run an XSLT transformation using a user-specified source document
> and stylesheet. By calling external Java methods from the stylesheet,
> you had total access to files on the web server.
> 
> Although W3C have patched their servlet to disallow Java method calls, I
> suspect many others are still doing this.

Just out of interest: How will it handle an XPath including
``document('file:///some/secret/file.xml')''?

References:
- RE: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a rare broadside)
  - From: "Michael Kay" <michael.h.kay@ntlworld.com>

Prev by Date: Re: [xml-dev] W3C Schema: Resistance is Futile, says Don Box
Next by Date: Re: [xml-dev] (more details) embedding xml schema in an instance doc
Previous by thread: Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a rare broadside)
Next by thread: Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a rare broadside)
Index(es):
- Date
- Thread