cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hunsberger, Peter" <>
Subject RE: XSL Security question
Date Thu, 30 Jan 2003 16:17:53 GMT
> There are definitely situations where you need to have project defined

Possibly so, but "skins" shouldn't be one of them?  Just out of interest can
you give a concrete example?

> We use a comination of chroot jails (if shell access) and URIResolvers to
keep the
> dev-user where they should be. Also, since we use Saxon, we turn off
> with:


> What am I missing? :-o

Got me, but I'd guess an infinitely looping XSLT DOS attack is a potential
problem?  Other than that, if Saxon (or the underlying Java engine) has any
potential buffer overflow problems, or other Sandbox leaks then you've given
people a nice Worm building environment (since XSLT is Turing complete)...

To unsubscribe, e-mail:
For additional commands, email:

View raw message