Date:Wed, 4 Feb 2004 12:56:30 -0000
Reply-To:"Z39.50 Next-Generation Initiative" <[log in to unmask]>
Sender:"Z39.50 Next-Generation Initiative" <[log in to unmask]>
From:"Matthew J. Dovey" <[log in to unmask]>
Subject:Re: XPath and Validation
Comments:To: "Z39.50 Next-Generation Initiative" <[log in to unmask]>
Content-Type:text/plain; charset="us-ascii"
> It doesn't compromise the server, though, just exploits
> potential javascript security issues in a certain *cough* browser.
> It would make the server look bad,
Well, I could do an exploit which would work with any browser that
supports JavaScript (e.g. popup a Window saying that the OCLC webserver
would be unavailable during February ;-) )
As for exploiting the server, well here's (below) a way of embedding
server executed javascript if we were using XSLT (which we aren't but it
was suggested back in Oct or whenever, and last week!) and just dropped
in Xalan (there's a similar scripting extension in Saxon as well...). OK
the code below isn't malicious.
Could you exploit the scripting extensions in Saxon and Xalan et al.
just using Xpath (or Xinclude) - I don't know, possibly not. As I said,
I'm not going to object if people want to keep this in 1.1.
Oh, we're using xpath 1.0 aren't we. If we were using Xpath 2.0 I wonder
how many servers would gracefully handle
recordXpath="op:numeric-divide(1, 0)" ;-)
Matthew
?xml version="1.0"?>
<!--Namespaces are global if you set them in the stylesheet element-->
<xsl:stylesheet
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0"
xmlns:xalan="http://xml.apache.org/xalan"
xmlns:my-ext="ext1"
extension-element-prefixes="my-ext">
<!--The component and its script are in the xalan namespace and define
the
implementation of the extension.-->
<xalan:component prefix="my-ext" elements="timelapse"
functions="getdate">
<xalan:script lang="javascript">
var multiplier=1;
// The methods or functions that implement extension elements
always take 2
// arguments. The first argument is the XSL Processor context; the
second
// argument is the element node.
function timelapse(xslProcessorContext, elem)
{
multiplier=parseInt(elem.getAttribute("multiplier"));
// The element return value is placed in the result tree.
// If you do not want a return value, return null.
return null;
}
function getdate(numdays)
{
var d = new Date();
var totalDays = parseInt(numdays) * multiplier;
d.setDate(d.getDate() + totalDays);
return d.toLocaleString();
}
</xalan:script>
</xalan:component>
<xsl:template match="deadline">
<p><my-ext:timelapse multiplier="2"/>We have logged your enquiry and
will
respond by <xsl:value-of
select="my-ext:getdate(string(@numdays))"/>.</p>
</xsl:template>
</xsl:stylesheet>