Hi,
> -----Original Message-----
> From: Hunsberger, Peter [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 30, 2003 7:48 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: XSL Security question
>
>
> > Where the files directory would contain a user's directory which user's
> could upload
> > there own versions of the stylesheets, ie. skins I would want to define a
> specific
> > transformer that would not affect the transformations in the rest of the
> application
> > but would limit the user to using basic xsl transformations or to limit
> the user to
> > his xsl file and that alone.
> <snip>
> > Does anyone have any ideas on how to implement this safely or is it just a
> bad idea?
>
> Hi Andrew,
>
> This seems like a bad idea: skins are configuration data, giving someone a
> programming language to implement data doesn't make sense. Instead let them
> define an XML file with various settings that define how the skin
> implemented. Then use an XSLT to combine their configuration data with any
> other default configuration data. Since there are many people already doing
> exactly this you may want to look around a little and, in particular, pay
> some attention to Forrest if you haven't already done so...
>
There are definitely situations where you need to have project defined XSLT. We
use a comination of chroot jails (if shell access) and URIResolvers to keep the
dev-user where they should be. Also, since we use Saxon, we turn off extensions
with:
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS, new
Boolean(false));
The URIResolver only checks the client's available (cached?) files:
boolean isValidHref(File f) {
String req_f = f.getAbsolutePath();
if (req_f.startsWith(ServletContext.getRealPath(this.client_path))) {
return true;
}
return false;// the URIResolver returns a
// StreamSource(StringReader("<file not available/>"))
}
What am I missing? :-o
-Rob
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
