OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a r

[ Lists Home | Date Index | Thread Index ]

"Michael Kay" <michael.h.kay@ntlworld.com> writes:

> I see that David's talk mentions the dangers of referring to external
> XSLT stylesheets. Until recently the W3C site provided a servlet which
> would run an XSLT transformation using a user-specified source document
> and stylesheet. By calling external Java methods from the stylesheet,
> you had total access to files on the web server.
> 
> Although W3C have patched their servlet to disallow Java method calls, I
> suspect many others are still doing this.

Just out of interest: How will it handle an XPath including
``document('file:///some/secret/file.xml')''?





 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS