Not at all, thanks for rubbing my nose in it :)
That's not unlikely and doesn't require uploading classes. Consider the following:
<map:match pattern="*-*.html">
<map:generate src="repository/{1}.xml" type="file"/>
<map:transform type="{2}"/>
<map:serialize type="html"/>
</map:match>
Now suppose we're in a CMS and that the user can upload the initial xml file. What if {2}, which is expected to be "foo" or "bar" is set to "jxtemplate"? The uploaded file iss interpreted and can then execute arbitrary code on the server!
Does this sound so unlikely?
Your example would be unsafe anyway if the transformer is configured to jxtemplate and the upload-directory to repository, but i guess then the user is to blame and not the framework.
Tainting uploaded files or parameters like perl does could partially prevent this but it would never be foolproof.
I'll rest my case.
SylvainJorg
