This is the mail archive of the
xsl-list@mulberrytech.com
mailing list .
Re: XSLT 1.1 comments -Examples please
- To: xsl-list at lists dot mulberrytech dot com
- Subject: Re: [xsl] XSLT 1.1 comments -Examples please
- From: David Carlisle <davidc at nag dot co dot uk>
- Date: Thu, 15 Feb 2001 13:14:47 GMT
- References: <9B66BBD37D5DD411B8CE00508B69700F4F0225@pborolocal.rnib.org.uk>
- Reply-To: xsl-list at lists dot mulberrytech dot com
> 2. A nasty. xsl:script to run a command rm -r *
why restrict to xsl:script ? It's already possible to execute arbitrary
code in current processors. Have you any idea what
<xsl:value-of select="x:xxx()"
xmlns:x="http://www.oracle.com.XSL/Transform/java/java.util.diediedie"/>
does? (I haven't)
whether or not your extension functions can do damage depends on the
environment in which you choose to run them. Java and most scripting
langauges are set up to have the option of running in constrained
(more) secure environments, as usually is the default if accessed from a
browser. If you choose to run code picked up off this mailing list
in an unrestricted environment then you need to know what you are doing.
But that is basic precautions, it is nothing related to xsl:script,
which does not change the functionality available to extensions, it only
changes the way they are declared.
David
_____________________________________________________________________
This message has been checked for all known viruses by Star Internet delivered
through the MessageLabs Virus Control Centre. For further information visit
http://www.star.net.uk/stats.asp
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list