Lists Home |
Date Index |
Liam Quin wrote:
> On Wed, Aug 17, 2005 at 11:44:30AM -0400, Robert Koberg wrote:
>>Michael Kay wrote:
>>>Saxon already has an extension, saxon:discard-document(), designed to
>>I did not know that and it is good to know. I disable extensions (and
>>don't really investigate them) as I run some untrusted XSLs in my CMS
> Watch that an XSLT transform can read (or try to read) any
> file on your system and can open arbitrary http (and often ftp)
> connections on arbitrary ports.
I use custom URIResolvers for the factory and the transformer to handle
this type of thing. A project's XSL for import/include is resolved in
the factory's resolver (first looking in the project workspace, then in
a default location). XML brought in through the document function is
resolved in the transformer's resolver. The resolvers basically chroot
jail the transformation to their project's workspace and the
>>Any chance of this type of thing getting into the spec?
> If the document falls out of scope then both XSLT 1 and 2 allow
> an implementation to discard it. I don't think we'll see a
> procedural way to discard a document otherwise, except as
> part of something like the XQuery update facility perhaps.