cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lee Burgess <>
Subject Re: XSLTProcessor patch, etc...
Date Wed, 26 Apr 2000 23:22:35 GMT
Robin Green writes:
 > I think that would be really useful. After all, we regularly hear requests 
 > for a simple way of doing this. If security is a concern, it would be simple 
 > to add an option to to switch this facility on and off.


 > Of course in the long term, it would be good to have fine-grained control, 
 > in the Cocoon 2 sitemap - i.e. specifying this option only for individual 
 > files or directories.

Yeah, I just had a conversation in which I was reminded of exactly how
big a security risk this option could be.  One thing that really
annoys me about web development is having to constantly be on guard
against server side code that any user can potentially pass
commands/parameters into.  (Though, I hope Java is not as bad as Perl
in this respect.)

 > If you wanted to validate the stylesheet parameter you'd still have to use 
 > XSP or something, but that makes sense - validation is potentially a can of 
 > worms. (For example, I can think of one particular case I'm hoping to 
 > implement - user-defined stylesheets! [Yes, I will restrict what the user 
 > can do.] With that, it could not necessarily be validated against a static 
 > list, so better to write special code for that.)

I cannot speak to this specifically, but I do like the idea of being
able to turn "xsl requests" on and off.  Additionally, if the feature
is turned on, only those XSLs defined in, say, the
file, would be accessible through that feature.

The whole issue also implies that one write stylesheets and
logicsheets with extreme care.

Lee P. W. Burgess  <<!>>  The first rule of Lefty is: you do not talk
Programmer         <<!>>  about Lefty.
Red Bean Software  <<!>>  The second rule of Lefty is: YOU DO NOT TALK <<!>>  ABOUT LEFTY.

View raw message