OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] XInclude: security risk 1

[ Lists Home | Date Index | Thread Index ]

At 01:47 PM 10/26/2002 -0400, Elliotte Rusty Harold wrote:
>However, I suspect it's at least bad enough that browser vendors and other 
>XInclude users should be made aware of the issues, and perhaps not 
>XInclude by default; or perhaps it would be enough just not to fallback. 
>Or perhaps not make the post-inclusion DOM available through scripting. Or 
>limit the URLs included to ones from the same host as the base page came 
>from. Thoughts?

It reminds me a bit of the issues that David Megginson raised back at XTech 
2000:
http://www.xml.com/pub/a/2000/02/xtech/megginson.html

I can't find David's original slides, but it more or less covered the risks 
created by wide-open URI processing in a variety of different contexts.  It 
was prior to XInclude, but pretty interesting stuff.  Those tools don't 
include a fallback for sending messages back, though!



Simon St.Laurent
"Every day in every way I'm getting better and better." - Emile Coue





 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS