On Thu, 2007-07-19 at 00:25 +0900, Justin Johansson wrote:
> One security concern is that someone may enter XPath code contain the
> document function and
> access (read) files on the server which are not for public consumption.
> The solution to this is
> to check the submitted code and disallow any transform containing the the
> document() function.

Use a custom URIResolver that works for both the import/includes and the
document function.

> 
> Another concern is that someone might try to submit a stylesheet containing
> Java extensions
> and attempt to something really nasty.  To this end, the submitted code is
> restricted to being
> just the body of an XSL stylesheet .. i.e. the server will wrap the code in
> an xsl:stylesheet
> element.

Saxon has a property where you can disable extensions


> Do people have any advice on whether there are any other security concerns
> to be aware of?

yes - result-document. I believe Saxon has a way for you to write a
resolver so that result document output can be controlled (haven't done
it).

Maybe turn off your XML parser's XInclude, Schema, DTD handling

best,
-Rob