> > Agreed. I was never conviced by this line of argument (BUT I
> > reserve the right to hide quietly under my desk if someone
> > comes up with an XPath exploit that cracks our server and
> > Matthew starts sending out "told you so!" emails :-)
>
> I can certainly do the following if we used XSLT or Xinclude.
Thankfully, no XSLT or XInclude.
> I could craft a http link to Ralph's light client which would cause a
> search to be done (and Ralphs light client to display the results) which
> would use XSLT/Xinclude to add JavaScript to the record. With a little
How about something like:
recordXPath="concat('<script>...</script>', string(/))"
> This wouldn't be possible if we didn't have the Xpath, Xinclude stuff
It doesn't compromise the server, though, just exploits potential
javascript security issues in a certain *cough* browser.
It would make the server look bad, but really ... people
clicking on links from untrustworthy sources, using untrustworthy
browsers should expect to get owned occasionally.
Anyway, Microsoft recommend not clicking on links any more, but to type
them in by hand. Which includes the CQL query, I guess, so we have a
usage scenario for hand entered queries :)
Rob
--
,'/:. Dr Robert Sanderson ([log in to unmask])
,'-/::::. http://www.o-r-g.org/~azaroth/
,'--/::(@)::. Special Collections and Archives, extension 3142
,'---/::::::::::. Nebmedes: http://nebmedes.o-r-g.org:8000/
____/:::::::::::::.
I L L U M I N A T I
