xml-dev - Re: [xml-dev] XInclude: security risk 1

Re: [xml-dev] XInclude: security risk 1

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] XInclude: security risk 1
From: Richard Tobin <richard@cogsci.ed.ac.uk>
Date: Mon, 28 Oct 2002 17:38:30 GMT
Cc:
In-reply-to: <p04330100b9e080b82819@[192.168.254.4]>
Organization: HCRC, University of Edinburgh

On reflection, I think XInclude's security issues are really just a
subset of those that browsers have with XSLT, or at least are solvable
in the same way.  XSLT allows you to fetch data from a local file
using document("file:///whatever") and even allows you to pass out
that information as part of a URL in another document() call.

I checked what Mozilla does in this case, and it appears to refuse
to fetch a file: URL from a document() call in a remote stylesheet.

-- Richard

Follow-Ups:
- Re: [xml-dev] XInclude: security risk 1
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>

References:
- XInclude: security risk 1
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>

Prev by Date: RE: [xml-dev] What is XML For?
Next by Date: Re: [xml-dev] XInclude: security risk 1
Previous by thread: Re: [xml-dev] XInclude: security risk 1
Next by thread: Re: [xml-dev] XInclude: security risk 1
Index(es):
- Date
- Thread