Hi!
On Wed, Jun 09, 2004 at 01:24:28PM +0200, Gerald Richter wrote:
> Jochen Topf wrote:
> > Hi!
> >
> > When using XSLT with Execute() like this:
> >
> > $ret = Execute({
> > inputfile => 'foo.xml',
> > recipe => 'EmbperlXSLT',
> > xsltstylesheet => 'foo.xsl',
> > });
> >
> > without an 'xsltparam', the %fdat hash is used as default 'xsltparam'.
> >
> > I think this
> > a) violates the principle of least surprise. It surprised me a lot and
> > spend half an hour to figure out what a strange LibXSLT error meant
> > that resulted from this. After I found it in the source code I also
> > found it in the documentation, but I still think its the wrong
> > thing to do because
> > b) is a potential security risk. It means data that is supplied by the
> > client (and can be anything) is fed into the XSLT engine as
> > parameter without checking it first.
> >
>
> It is build in for convenience, but you are right the current implementation
> is a security risk. The default behaviour should be to quote all values.
> From my point of view this should remove all security problem and doesn't
> give a problem.
>
> What do you think?
Yep. Thats sounds like a good solution.
Jochen
--
Jochen Topf [EMAIL PROTECTED] http://www.remote.org/jochen/ +49-721-388298
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
