cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hunsberger, Peter" <Peter.Hunsber...@stjude.org>
Subject RE: XSL Security question
Date Thu, 30 Jan 2003 16:17:53 GMT
> There are definitely situations where you need to have project defined
XSLT. 

Possibly so, but "skins" shouldn't be one of them?  Just out of interest can
you give a concrete example?

> We use a comination of chroot jails (if shell access) and URIResolvers to
keep the
> dev-user where they should be. Also, since we use Saxon, we turn off
extensions
> with:

<snip>

> What am I missing? :-o

Got me, but I'd guess an infinitely looping XSLT DOS attack is a potential
problem?  Other than that, if Saxon (or the underlying Java engine) has any
potential buffer overflow problems, or other Sandbox leaks then you've given
people a nice Worm building environment (since XSLT is Turing complete)...


---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message