perl-embperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jochen Topf <joc...@remote.org>
Subject Re: Default xsltparam
Date Fri, 11 Jun 2004 19:39:12 GMT
Hi!

On Wed, Jun 09, 2004 at 01:24:28PM +0200, Gerald Richter wrote:
> Jochen Topf wrote:
> > Hi!
> >
> > When using XSLT with Execute() like this:
> >
> > $ret = Execute({
> >     inputfile      => 'foo.xml',
> >     recipe         => 'EmbperlXSLT',
> >     xsltstylesheet => 'foo.xsl',
> > });
> >
> > without an 'xsltparam', the %fdat hash is used as default 'xsltparam'.
> >
> > I think this
> > a) violates the principle of least surprise. It surprised me a lot and
> >    spend half an hour to figure out what a strange LibXSLT error meant
> >    that resulted from this. After I found it in the source code I also
> >    found it in the documentation, but I still think its the wrong
> >    thing to do because
> > b) is a potential security risk. It means data that is supplied by the
> >    client (and can be anything) is fed into the XSLT engine as
> >    parameter without checking it first.
> >
> 
> It is build in for convenience, but you are right the current implementation
> is a security risk. The default behaviour should be to quote all values.
> From my point of view this should remove all security problem and doesn't
> give a problem.
> 
> What do you think?

Yep. Thats sounds like a good solution.

Jochen
-- 
Jochen Topf  jochen@remote.org  http://www.remote.org/jochen/  +49-721-388298


---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org


Mime
View raw message