This is the mail archive of the
xsl-list@mulberrytech.com
mailing list .
RE: The evaluate function
- From: Joerg Pietschmann <joerg dot pietschmann at zkb dot ch>
- To: XSL List <xsl-list at lists dot mulberrytech dot com>
- Date: Thu, 03 Jan 2002 18:20:02 +0100
- Subject: RE: [xsl] The evaluate function
- Organization: ZKB
- Reply-to: xsl-list at lists dot mulberrytech dot com
Apart from all the issues mentioned by Mr.Kay, an eval()
function makes it rather easy to open security holes in
a style sheet.
For example, once you figured out you can put a XPath into
the nice "Enter your query here" field which is passed
directly to an eval() function, what will stop you from
entering
document("file:///C/Documents and Settings/Administrator/preferences.xml")?
:-)
Or, if extension functions may be called indiscriminately:
mswin:delete("C:\*.*","recursive")
Regards
J.Pietschmann
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list