[
Lists Home |
Date Index |
Thread Index
]
Oh, I see what you were saying now. Keep in mind my message made no assumptions about malicious script -- all of those security threats I mentioned (overruns, external resolution) still exist even if the XSLT has no support for scripting. They are a concern for any XSLT processor, not just MSFT.
-----Original Message-----
From: Sebastian Schnitzenbaumer [mailto:schnitz@mozquito.com]
Sent: Thu 8/15/2002 8:48 AM
To: Dare Obasanjo; bryan; xml-dev@lists.xml.org
Cc:
Subject: RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains
And I agree too, of course. But that wasn't the issue. I never
asked about VBscript in my XSL in the first place. And I
wasn't aware how harmful XSL can be. An XML stylesheet
wasn't meant to be a security problem in the first place,
and extending it for some 20% cases (allowing scripts) so it is
treated as a security problem for the other 80% cases (just
using XSL as it is) doesn't make sense to me. CSS
was never extended with scripts and works just fine
cross-domain in IE and all other browsers. Why
can't just the stylesheets with scripts get the quarantine
behaviour? Why must every cross-domain XSL be treated as if
it would contain a malicious script, even though it doesn't use
script at all? This would be similar to saying you can't view
plain HTML pages unless its a trusted site because the HTML
could possibly contain a malicious script.
As it stands, I'm afraid your cure is worse than the disease,
- Sebastian
-----Ursprüngliche Nachricht-----
Von: Dare Obasanjo
Gesendet: Do 15.08.2002 16:39
An: Sebastian Schnitzenbaumer; bryan; xml-dev@lists.xml.org
Cc:
Betreff: RE: [xml-dev] What the .... ? Referencing XSL
stylesheets across domains
Security and convenience are a continuom. In today's internet
connected world, one typically has to trade up some convenience if they
want security. We are all witnesses to what happened when Microsoft
leaned more towards convenience than security in our products. I'm quite
glad that we've decided to shift to the other side and trade up
convenience for more security.
I'm sure many others agree.
-----Original Message-----
From: Sebastian Schnitzenbaumer
[mailto:schnitz@mozquito.com]
Sent: Thu 8/15/2002 5:52 AM
To: bryan; xml-dev@lists.xml.org
Cc:
Subject: RE: [xml-dev] What the .... ? Referencing XSL
stylesheets across domains
I've invented this great new language the other day, it
only
has four characters: °, o, 8 and .
So now I would say:
.oo88o°8o°°...°.8ooo
and
...oo8o8o°o°o8.o.o8.oo.8°°..
and sometimes I'd even express myself thru
ooo888°°°
or, in very special cases, I'd say
°°°888ooo
I wrote a poem the other day:
o..8.o.88.°°°.8.ooo.o88o°°°°
..o8.8ooo8.oo8.ooo.8°8°8°8
ooo..o.88o°8o°8o°8o°oo°°°°
Beautiful, isn't it?
Oh, you can't read this? I'm afraid the stylesheet that
someone
else did that translates this into english is considered
harmful...
Please understand! You must be protected, this evil
stylesheet
could:
- Make you blind thru evil use of colors and contrast
- Collapse the wave function so the probability of your
desktop being different in the future is slightly
increased.
- Sebastian
-----Ursprüngliche Nachricht-----
Von: bryan
Gesendet: Do 15.08.2002 11:08
An: xml-dev@lists.xml.org
Cc:
Betreff: RE: [xml-dev] What the .... ?
Referencing XSL
stylesheets across domains
Sebastian Schnitzenbaumer wrote:
>>Why is it
>>dangerous to load an XSL from somewhere else?
Joshua Allen wrote:
>On the one hand, you could say, "It should
treat XSLT processor
the
same >way as CSS", but on the other hand you
might say "thank
heavens
that people >can't take control of my machine by
exploiting
buffer
overruns in the XSLT >processor."
I don't think you could say "it should treat
XSLT processor the
same way
as CSS" what with the possibility to create
extensions functions
that
use vbscript, javascript, can call com
components etc.
By the way, in case anyone didn't see this
article:
http://www.theregister.co.uk/content/archive/24815.html
MS downloads wd-xsl to Windows-XP for search.
Not the same
subject but
somewhat related.
-----------------------------------------------------------------
The xml-dev list is sponsored by XML.org
<http://www.xml.org>,
an
initiative of OASIS <http://www.oasis-open.org>
The list archives are at
http://lists.xml.org/archives/xml-dev/
To subscribe or unsubscribe from this list use
the subscription
manager: <http://lists.xml.org/ob/adm.pl>
|