This is the mail archive of the xsl-list@mulberrytech.com mailing list .

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

RE: The evaluate function

From: Joerg Pietschmann <joerg dot pietschmann at zkb dot ch>
To: XSL List <xsl-list at lists dot mulberrytech dot com>
Date: Thu, 03 Jan 2002 18:20:02 +0100
Subject: RE: [xsl] The evaluate function
Organization: ZKB
Reply-to: xsl-list at lists dot mulberrytech dot com


Apart from all the issues mentioned by Mr.Kay, an eval()
function makes it rather easy to open security holes in
a style sheet.
For example, once you figured out you can put a XPath into
the nice "Enter your query here" field which is passed
directly to an eval() function, what will stop you from
entering
 document("file:///C/Documents and Settings/Administrator/preferences.xml")?
 :-)
Or, if extension functions may be called indiscriminately:
 mswin:delete("C:\*.*","recursive")

Regards
J.Pietschmann

 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list

Follow-Ups:
- RE: The evaluate function
  - From: Michael Kay

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]