OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] XML is Mobile Code? [was: Defining an XML vocabulary: specify syntax, semantics, and BEHAVIOR?]

Well the 'boundedness' of the code is determined by the processor
which implements the specification. Boundedness is generally a
function of environmental limitations, see Principle of Least
Privilege. The example you gave was XSL-T, as a general rule while
XSL-T is a Turing complete language like JavaScript it tends to have
less privilege than JavaScript.

Bryan Rasmussen

On Sat, Apr 12, 2008 at 1:15 PM, Costello, Roger L. <costello@mitre.org> wrote:
> Hi Folks,
>  It just occurred to me ...
>  We have determined that XML has two primary roles:
>     1. Encode behavior (instructions)
>     2. Encode data
>  [Len, what does it mean to "encode script nodes?"]
>  In its first role (encoding behavior), XML is mobile code.  For
>  example, the XSLT vocabulary is an encoding of a certain behavior (i.e.
>  an encoding of a certain set of instructions), and when you transport
>  an XSLT document across the Internet, you are transporting code.
>  When you transport, say, JavaScript code across the Internet, you know
>  the extent of the security implications since JavaScript is a bounded
>  syntax with bounded capabilities (and a bounded set of security
>  problems).
>  But XML is unbounded, and the types of behavior that may be encoded in
>  XML is unbounded.  Thus, there is no way, in general, to assess the
>  extent of the security implications for arbitrary XML documents.
>  Yikes!
>  I am surely missing something.  Please tell me where my thinking errs.
>  /Roger
>  _______________________________________________________________________
>  XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>  to support XML implementation and development. To minimize
>  spam in the archives, you must subscribe before posting.
>  [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>  Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>  subscribe: xml-dev-subscribe@lists.xml.org
>  List archive: http://lists.xml.org/archives/xml-dev/
>  List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS