cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Koberg" <>
Subject RE: XSL Security question
Date Thu, 30 Jan 2003 16:09:08 GMT

> -----Original Message-----
> From: Hunsberger, Peter []
> Sent: Thursday, January 30, 2003 7:48 AM
> To: ''
> Subject: RE: XSL Security question
> > Where the files directory would contain a user's directory which user's
> could upload
> > there own versions of the stylesheets, ie. skins I would want to define a
> specific
> > transformer that would not affect the transformations in the rest of the
> application
> > but would limit the user to using basic xsl transformations or to limit
> the user to
> > his xsl file and that alone.
> <snip>
> > Does anyone have any ideas on how to implement this safely or is it just a
> bad idea?
> Hi Andrew,
> This seems like a bad idea: skins are configuration data, giving someone a
> programming language to implement data doesn't make sense.  Instead let them
> define an XML file with various settings that define how the skin
> implemented.  Then use an XSLT to combine their configuration data with any
> other default configuration data.  Since there are many people already doing
> exactly this you may want to look around a little and, in particular, pay
> some attention to Forrest if you haven't already done so...

There are definitely situations where you need to have project defined XSLT. We
use a comination of chroot jails (if shell access) and URIResolvers to keep the
dev-user where they should be. Also, since we use Saxon, we turn off extensions

  TransformerFactory factory = TransformerFactory.newInstance();
  factory.setAttribute(FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS, new

The URIResolver only checks the client's available (cached?) files:

  boolean isValidHref(File f) {
  	String req_f = f.getAbsolutePath();
  	if (req_f.startsWith(ServletContext.getRealPath(this.client_path))) {
  		return true;
  	return false;// the URIResolver returns a
                   // StreamSource(StringReader("<file not available/>"))

What am I missing? :-o


To unsubscribe, e-mail:
For additional commands, email:

View raw message