copying xalan-dev: Andrew Timberlake wrote:
I don't know all the capabilities of XSL and would like to know if there
is a security risk in allowing users to upload any XSL files to be used
in a 'skins' type of application?
My one concern would be using the document('') methods to load and
display other files from the system?
If this is not a good idea, can we sandbox an xsl transformer somehow?
Some servlet engines allow you to setup a security sandbox around the entire servlet (cocoon in this case, or your own code), so that would limit somehow your vulnerability.
Another possibility would be to have the XSLT transformer being 'locked' and avoid accessing anything that is not included in the stylesheet (that means: forbidding document() and extensions, maybe imports too)
maybe the xalan team has something ready for this already?
--
Stefano Mazzocchi <[EMAIL PROTECTED]>
--------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
