Hi,
We really liked the option to be able to write JavaScript extensions
in XSLTs that execute in Xalan. However, we recently had a customer
come to us with a request to disable the execution of Java code
specifically (not JavaScript) as he saw it as a potential security
hole as our software lets our customers write arbitrary XSLTs to
manipulate their XML data.
Assuming the application was running a privileged user we were able to
write XSLTs in our software that would delete files/folders on the
filesystem of the machine running our software (Tomcat instance).
Any ideas? Is there a way to limit the scope of what classes,
libraries are available Xalan executes Java code or is there a way to
just disable this functionality?
Thanks,
Bradley
