Hi!
When using XSLT with Execute() like this:
$ret = Execute({
inputfile => 'foo.xml',
recipe => 'EmbperlXSLT',
xsltstylesheet => 'foo.xsl',
});
without an 'xsltparam', the %fdat hash is used as default 'xsltparam'.
I think this
a) violates the principle of least surprise. It surprised me a lot and
spend half an hour to figure out what a strange LibXSLT error meant
that resulted from this. After I found it in the source code I also
found it in the documentation, but I still think its the wrong thing
to do because
b) is a potential security risk. It means data that is supplied by the
client (and can be anything) is fed into the XSLT engine as
parameter without checking it first.
In the best case (this is what happend to me) you have a URL like this:
/foo.html?bar=x+y
which gets translated to
$fdat{'bar'} = 'x y'
Now XSLT sees a parameter 'x y' (without the single quotes), which it
can't parse and so it dies. This happens even if the XSLT stylesheet
never actually defines any parameters of its own. I bet many Embperl
webpages of many users can be broken just by adding spurious parameters
to the URL.
In a worse case the parameter could be carefully chosen to reveal data
from an XML file that shouldn't be revealed.
The workaround is easy, just supply an empty xsltparam. But I still think
the default should be changed.
Jochen
--
Jochen Topf [EMAIL PROTECTED] http://www.remote.org/jochen/ +49-721-388298
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
