cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Mazzocchi <>
Subject Re: XSL Security question
Date Wed, 29 Jan 2003 15:13:08 GMT
copying xalan-dev:

Andrew Timberlake wrote:
> I don't know all the capabilities of XSL and would like to know if there
> is a security risk in allowing users to upload any XSL files to be used
> in a 'skins' type of application?
> My one concern would be using the document('') methods to load and
> display other files from the system?
> If this is not a good idea, can we sandbox an xsl transformer somehow?

Yes, there is a security concern in terms of reading stuff accessible 
from the user executing the virtual machine. If you can also find a way 
to upload classes and/or scripts, you could execute them from those 
stylesheets using extensions or BSF.

Some servlet engines allow you to setup a security sandbox around the 
entire servlet (cocoon in this case, or your own code), so that would 
limit somehow your vulnerability.

Another possibility would be to have the XSLT transformer being 'locked' 
and avoid accessing anything that is not included in the stylesheet 
(that means: forbidding document() and extensions, maybe imports too)

maybe the xalan team has something ready for this already?

Stefano Mazzocchi                               <>

To unsubscribe, e-mail:
For additional commands, email:

View raw message