OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains

[ Lists Home | Date Index | Thread Index ]

Oh, I see what you were saying now.  Keep in mind my message made no assumptions about malicious script -- all of those security threats I mentioned (overruns, external resolution) still exist even if the XSLT has no support for scripting.  They are a concern for any XSLT processor, not just MSFT.

	-----Original Message----- 
	From: Sebastian Schnitzenbaumer [mailto:schnitz@mozquito.com] 
	Sent: Thu 8/15/2002 8:48 AM 
	To: Dare Obasanjo; bryan; xml-dev@lists.xml.org 
	Cc: 
	Subject: RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains
	
	

	And I agree too, of course. But that wasn't the issue. I never
	asked about VBscript in my XSL in the first place. And I
	wasn't aware how harmful XSL can be. An XML stylesheet
	wasn't meant to be a security problem in the first place,
	and extending it for some 20% cases (allowing scripts) so it is
	treated as a security problem for the other 80% cases (just
	using XSL as it is) doesn't make sense to me. CSS
	was never extended with scripts and works just fine
	cross-domain in IE and all other browsers. Why
	can't just the stylesheets with scripts get the quarantine
	behaviour? Why must every cross-domain XSL be treated as if
	it would contain a malicious script, even though it doesn't use
	script at all? This would be similar to saying you can't view
	plain HTML pages unless its a trusted site because the HTML
	could possibly contain a malicious script.
	
	As it stands, I'm afraid your cure is worse than the disease,
	
	- Sebastian
	
	        -----Ursprüngliche Nachricht-----
	        Von: Dare Obasanjo
	        Gesendet: Do 15.08.2002 16:39
	        An: Sebastian Schnitzenbaumer; bryan; xml-dev@lists.xml.org
	        Cc:
	        Betreff: RE: [xml-dev] What the .... ? Referencing XSL
	stylesheets across domains
	       
	       
	
	        Security and convenience are a continuom. In today's internet
	connected world, one typically has to trade up some convenience if they
	want security. We are all witnesses to what happened when Microsoft
	leaned more towards convenience than security in our products. I'm quite
	glad that we've decided to shift to the other side and trade up
	convenience for more security.
	       
	        I'm sure many others agree.
	       
	                -----Original Message-----
	                From: Sebastian Schnitzenbaumer
	[mailto:schnitz@mozquito.com]
	                Sent: Thu 8/15/2002 5:52 AM
	                To: bryan; xml-dev@lists.xml.org
	                Cc:
	                Subject: RE: [xml-dev] What the .... ? Referencing XSL
	stylesheets across domains
	              
	              
	       
	                I've invented this great new language the other day, it
	only
	                has four characters: °, o, 8 and .
	              
	                So now I would say:
	              
	                .oo88o°8o°°...°.8ooo
	              
	                and
	              
	                ...oo8o8o°o°o8.o.o8.oo.8°°..
	              
	                and sometimes I'd even express myself thru
	                ooo888°°°
	                or, in very special cases, I'd say
	                °°°888ooo
	              
	                I wrote a poem the other day:
	                o..8.o.88.°°°.8.ooo.o88o°°°°
	                ..o8.8ooo8.oo8.ooo.8°8°8°8
	                ooo..o.88o°8o°8o°8o°oo°°°°
	              
	                Beautiful, isn't it?
	              
	                Oh, you can't read this? I'm afraid the stylesheet that
	someone
	                else did that translates this into english is considered
	harmful...
	                Please understand! You must be protected, this evil
	stylesheet
	                could:
	              
	                - Make you blind thru evil use of colors and contrast
	                - Collapse the wave function so the probability of your
	                desktop being different in the future is slightly
	increased.
	              
	                - Sebastian
	              
	              
	              
	              
	              
	                        -----Ursprüngliche Nachricht-----
	                        Von: bryan
	                        Gesendet: Do 15.08.2002 11:08
	                        An: xml-dev@lists.xml.org
	                        Cc:
	                        Betreff: RE: [xml-dev] What the .... ?
	Referencing XSL
	                stylesheets across domains
	                     
	                     
	              
	                        Sebastian  Schnitzenbaumer wrote:
	                        >>Why is it
	                        >>dangerous to load an XSL from somewhere else?
	                     
	                        Joshua Allen wrote:
	                        >On the one hand, you could say, "It should
	treat XSLT processor
	                the
	                        same >way as CSS", but on the other hand you
	might say "thank
	                heavens
	                        that people >can't take control of my machine by
	exploiting
	                buffer
	                        overruns in the XSLT >processor."
	                     
	                        I don't think you could say "it should treat
	XSLT processor the
	                same way
	                        as CSS" what with the possibility to create
	extensions functions
	                that
	                        use vbscript, javascript, can call com
	components etc.
	                     
	                        By the way, in case anyone didn't see this
	article:
	       
	http://www.theregister.co.uk/content/archive/24815.html
	                     
	                        MS downloads wd-xsl to Windows-XP for search.
	Not the same
	                subject but
	                        somewhat related.
	                     
	                     
	                     
	                     
	                     
	                     
	       
	-----------------------------------------------------------------
	                        The xml-dev list is sponsored by XML.org
	<http://www.xml.org>,
	                an
	                        initiative of OASIS <http://www.oasis-open.org>
	                     
	                        The list archives are at
	http://lists.xml.org/archives/xml-dev/
	                     
	                        To subscribe or unsubscribe from this list use
	the subscription
	                        manager: <http://lists.xml.org/ob/adm.pl>
	                     
	                     
	              
	              
	       
	       
	
	





 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS