RE: [xsl] The evaluate function

Cart

XML Editor - Download a Free Trial >

See What's New >

Buy Now >

[Home] [By Thread] [By Date] [Recent Entries]

Subject: RE: The evaluate function
From: Joerg Pietschmann <joerg.pietschmann@xxxxxx>
Date: Thu, 03 Jan 2002 18:20:02 +0100

Apart from all the issues mentioned by Mr.Kay, an eval()
function makes it rather easy to open security holes in
a style sheet.
For example, once you figured out you can put a XPath into
the nice "Enter your query here" field which is passed
directly to an eval() function, what will stop you from
entering
 document("file:///C/Documents and Settings/Administrator/preferences.xml")?
 :-)
Or, if extension functions may be called indiscriminately:
 mswin:delete("C:\*.*","recursive")

Regards
J.Pietschmann

 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list

Current Thread

RE: The evaluate function, (continued)
- Mark Feblowitz - Thu, 3 Jan 2002 08:35:17 -0500 (EST)
  - Evan Lenz - Thu, 3 Jan 2002 14:39:19 -0500 (EST)
- Joerg Pietschmann - Thu, 3 Jan 2002 12:18:54 -0500 (EST) <=
  - Michael Kay - Thu, 3 Jan 2002 13:05:48 -0500 (EST)
- Brinkman, Theodore - Thu, 3 Jan 2002 12:26:46 -0500 (EST)
- Matt G. - Thu, 3 Jan 2002 20:42:39 -0500 (EST)
- Joerg Pietschmann - Tue, 8 Jan 2002 08:14:48 -0500 (EST)

<- Previous	Index	Next ->
RE: The evaluate function, Evan Lenz	Thread	RE: The evaluate function, Michael Kay
leading : on qnames, David Carlisle	Date	Hopefully not a terribly sill, Morgan Goeller
	Month

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >