* Kip Hampton <[EMAIL PROTECTED]> > Third, params passed in via <xsl:param> arguably do not share many of > the same risks as raw CGI params in a Perl script (for example). Given > XSLT's lack of real side effects, even if the stylesheet author is > over-trusting on the params that they ask for, the most a scriptkiddie > is likely to achieve is blowing up the transformation for their own > request.
A problem I can see is if a <xsl:param> is used as an argument to something that can pull in remote resources such as the document function, xsl:include, or xsl:import. An attacker could in theory download and inject their own stylesheet into the mix for an cross-site scripting or information leak attack. Most likely would blow things up unless they had access to the stylesheet source. Highly contrived, and Don't Do That! --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]