Stefano Mazzocchi wrote:
Another possibility would be to have the XSLT transformer being 'locked' and avoid accessing anything that is not included in the stylesheet (that means: forbidding document() and extensions, maybe imports too)
maybe the xalan team has something ready for this already?
There is already the URIResolver where you can hook in your URL access policy. DoS atttacks could still be a nuisance though.
Certain extension elements and functions already provided by the XSLT processor are also a concern, in Saxon you can turn them off summarily by a configuration setting. J.Pietschmann --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
