OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] XInclude: security risk 1

[ Lists Home | Date Index | Thread Index ]

>It is somewhat (though far 
>from completely) mitigated by the fact that the document() function 
>can only point to well-formed XML documents so it can't steal 
>absolutely any file or URL.

You could combine it with an entity reference: use document() to refer
to an external document that has a file: entity reference.  Then any
plain text without less-thans or ampersands will be well-formed.

I'm sure that current browsers must already prevent this, probably by
disallowing file: references from non-trusted documents.

-- Richard


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS