Some questions about disabling a stylesheet from accessing extension functions
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Some questions about disabling a stylesheet from accessing extension functions
by Roger Costello
::
Rate this Message:
Michael, on 26 October 2009 you wrote this on the xsl-list: > Saxon has always had an option to disable all extension functions ... > The latest release of Saxon goes beyond this, by allowing you to > restrict the processor to use only extension functions that have been > pre-registered with the processor I found this in the list of flags for invoking Saxon: -ext:(on|off) If ext:off is specified, suppress calls on external Java functions, other than system-supplied Saxon and EXSLT extension functions. This option is useful when loading an untrusted stylesheet, perhaps from a remote site using an http:// URL; it ensures that the stylesheet cannot call Java methods and thereby gain privileged access to resources on your machine. QUESTIONS: 1. Does ext:off disable the stylesheet from accessing all of the Saxon extension functions? 2. Does ext:off disable the stylesheet from accessing all user-defined extension functions? 3. Is there a way to disable stylesheets from accessing the EXSLT extension functions? 4. How do I "restrict the processor to use only extension functions that have been pre-registered with the processor?" /Roger ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ saxon-help mailing list archived at http://saxon.markmail.org/ saxon-help@... https://lists.sourceforge.net/lists/listinfo/saxon-help |
|
|
Re: Some questions about disabling a stylesheet from accessing extension functions
by Michael Kay
::
Rate this Message:
> > -ext:(on|off) > > If ext:off is specified, suppress calls on external > Java functions, other than system-supplied Saxon and > EXSLT extension functions. This option is useful when > loading an untrusted stylesheet, perhaps from a remote > site using an http:// URL; it ensures that the stylesheet > cannot call Java methods and thereby gain privileged > access to resources on your machine. > functions. It doesn't affect calls on "integrated extension functions" in 9.2, which have to be pre-registered with the Saxon configuration and are therefore assumed to be trusted. > > QUESTIONS: > > 1. Does ext:off disable the stylesheet from accessing all of > the Saxon extension functions? No, Saxon-supplied extension functions are trusted and are therefore allowed. > > 2. Does ext:off disable the stylesheet from accessing all > user-defined extension functions? It prevents access to dynamically-loaded extension functions. It doesn't prevent access to the "integrated" extension functions available from Saxon 9.2 onwards, which have to be pre-registered with the configuration. > > 3. Is there a way to disable stylesheets from accessing the > EXSLT extension functions? No, like the extension functions in the Saxon namespace, these are trusted. > > 4. How do I "restrict the processor to use only extension > functions that have been pre-registered with the processor?" > Use -ext:off. Regards, Michael Kay http://www.saxonica.com/ http://twitter.com/michaelhkay ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ saxon-help mailing list archived at http://saxon.markmail.org/ saxon-help@... https://lists.sourceforge.net/lists/listinfo/saxon-help |
|
|
Re: Some (more) questions about disabling a stylesheet from accessing extension functions
by Roger Costello
::
Rate this Message:
Hi Michael, I created a stylesheet that uses three kinds of extension functions: 1. A Java method 2. An EXSLT function 3. A SAXON built-in extension function Here's my stylesheet: <?xml version="1.0"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:math="java:java.lang.Math" xmlns:exslt="http://exslt.org/math" xmlns:saxon="http://saxon.sf.net/" extension-element-prefixes="math exslt" version="2.0"> <xsl:template match="/*" > <xsl:message> <xsl:value-of select="math:sqrt(2)" /> <xsl:value-of select="exslt:abs(8 - 12)" /> <xsl:value-of select="saxon:is-whole-number(1.23)" /> </xsl:message> </xsl:template> </xsl:stylesheet> When I ran the stylesheet with the SAXON flag: -ext:on then all three kinds of extension functions were enabled and the expected output was seen. When I ran the stylesheet with the SAXON flag: -ext:off then the Java and EXSLT extension functions were disabled and this error message was seen: external function calls have been disabled However, the SAXON built-in extension function remained enabled and it produced the expected output. So, here's what I learned: 1. With extensions turned off (i.e., -ext:off) then all extension functions are disabled except for the SAXON built-in extension functions. 2. With extensions turned on (i.e., -ext:on) then the stylesheet can invoke Java methods, EXSLT functions, and the SAXON built-in extension functions. Do you agree? I believe that these three kinds of extension functions--Java methods, EXSLT functions, and the SAXON built-in functions--represent all of the kinds of extensions allowed by SAXON (i.e., there are no other kinds of extension functions). Correct? /Roger ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ saxon-help mailing list archived at http://saxon.markmail.org/ saxon-help@... https://lists.sourceforge.net/lists/listinfo/saxon-help |
|
|
Re: Some (more) questions about disabling a stylesheet from accessing extension functions
by Michael Kay
::
Rate this Message:
Which version of Saxon are you using? (9.1 or 9.2? And which edition?) Regards, Michael Kay http://www.saxonica.com/ http://twitter.com/michaelhkay > -----Original Message----- > From: Costello, Roger L. [mailto:costello@...] > Sent: 09 November 2009 21:22 > To: 'Mailing list for the SAXON XSLT and XQuery processor' > Subject: Re: [saxon] Some (more) questions about disabling a > stylesheet from accessing extension functions > > > Hi Michael, > > I created a stylesheet that uses three kinds of extension functions: > > 1. A Java method > > 2. An EXSLT function > > 3. A SAXON built-in extension function > > Here's my stylesheet: > > <?xml version="1.0"?> > <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" > xmlns:math="java:java.lang.Math" > xmlns:exslt="http://exslt.org/math" > xmlns:saxon="http://saxon.sf.net/" > extension-element-prefixes="math exslt" > version="2.0"> > > <xsl:template match="/*" > > > <xsl:message> > > <xsl:value-of select="math:sqrt(2)" /> > <xsl:value-of select="exslt:abs(8 - 12)" /> > <xsl:value-of select="saxon:is-whole-number(1.23)" /> > > </xsl:message> > > </xsl:template> > > </xsl:stylesheet> > > > When I ran the stylesheet with the SAXON flag: > > -ext:on > > then all three kinds of extension functions were enabled and > the expected output was seen. > > When I ran the stylesheet with the SAXON flag: > > -ext:off > > then the Java and EXSLT extension functions were disabled and > this error message was seen: > > external function calls have been disabled > > However, the SAXON built-in extension function remained > enabled and it produced the expected output. > > So, here's what I learned: > > 1. With extensions turned off (i.e., -ext:off) then all > extension functions are disabled except for the SAXON > built-in extension functions. > > 2. With extensions turned on (i.e., -ext:on) then the > stylesheet can invoke Java methods, EXSLT functions, and the > SAXON built-in extension functions. > > Do you agree? > > I believe that these three kinds of extension functions--Java > methods, EXSLT functions, and the SAXON built-in > functions--represent all of the kinds of extensions allowed > by SAXON (i.e., there are no other kinds of extension > functions). Correct? > > /Roger > -------------------------------------------------------------- > ---------------- > Let Crystal Reports handle the reporting - Free Crystal > Reports 2008 30-Day trial. Simplify your report design, > integration and deployment - and focus on what you do best, > core application coding. Discover what's new with Crystal > Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > saxon-help mailing list archived at > http://saxon.markmail.org/ saxon-help@... > https://lists.sourceforge.net/lists/listinfo/saxon-help ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ saxon-help mailing list archived at http://saxon.markmail.org/ saxon-help@... https://lists.sourceforge.net/lists/listinfo/saxon-help |
|
|
Re: Some (more) questions about disabling a stylesheet from accessing extension functions
by Roger Costello
::
Rate this Message:
Hi Michael, > Which version of Saxon are you using? (9.1 or 9.2? And which edition?) Version 9.2, the Java edition. (I think you are cleverly answering my question with a question, but could you elaborate further on your answer please?) /Roger > -----Original Message----- > From: Michael Kay [mailto:mike@...] > Sent: Monday, November 09, 2009 5:30 PM > To: 'Mailing list for the SAXON XSLT and XQuery processor' > Subject: Re: [saxon] Some (more) questions about disabling a > stylesheet from accessing extension functions > > > Which version of Saxon are you using? (9.1 or 9.2? And which edition?) > > Regards, > > Michael Kay > http://www.saxonica.com/ > http://twitter.com/michaelhkay > > > -----Original Message----- > > From: Costello, Roger L. [mailto:costello@...] > > Sent: 09 November 2009 21:22 > > To: 'Mailing list for the SAXON XSLT and XQuery processor' > > Subject: Re: [saxon] Some (more) questions about disabling a > > stylesheet from accessing extension functions > > > > > > Hi Michael, > > > > I created a stylesheet that uses three kinds of extension functions: > > > > 1. A Java method > > > > 2. An EXSLT function > > > > 3. A SAXON built-in extension function > > > > Here's my stylesheet: > > > > <?xml version="1.0"?> > > <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" > > xmlns:math="java:java.lang.Math" > > xmlns:exslt="http://exslt.org/math" > > xmlns:saxon="http://saxon.sf.net/" > > extension-element-prefixes="math exslt" > > > version="2.0"> > > > > <xsl:template match="/*" > > > > > <xsl:message> > > > > <xsl:value-of select="math:sqrt(2)" /> > > <xsl:value-of select="exslt:abs(8 - 12)" /> > > <xsl:value-of select="saxon:is-whole-number(1.23)" /> > > > > </xsl:message> > > > > </xsl:template> > > > > </xsl:stylesheet> > > > > > > When I ran the stylesheet with the SAXON flag: > > > > -ext:on > > > > then all three kinds of extension functions were enabled and > > the expected output was seen. > > > > When I ran the stylesheet with the SAXON flag: > > > > -ext:off > > > > then the Java and EXSLT extension functions were disabled and > > this error message was seen: > > > > external function calls have been disabled > > > > However, the SAXON built-in extension function remained > > enabled and it produced the expected output. > > > > So, here's what I learned: > > > > 1. With extensions turned off (i.e., -ext:off) then all > > extension functions are disabled except for the SAXON > > built-in extension functions. > > > > 2. With extensions turned on (i.e., -ext:on) then the > > stylesheet can invoke Java methods, EXSLT functions, and the > > SAXON built-in extension functions. > > > > Do you agree? > > > > I believe that these three kinds of extension functions--Java > > methods, EXSLT functions, and the SAXON built-in > > functions--represent all of the kinds of extensions allowed > > by SAXON (i.e., there are no other kinds of extension > > functions). Correct? > > > > /Roger > > -------------------------------------------------------------- > > ---------------- > > Let Crystal Reports handle the reporting - Free Crystal > > Reports 2008 30-Day trial. Simplify your report design, > > integration and deployment - and focus on what you do best, > > core application coding. Discover what's new with Crystal > > Reports now. http://p.sf.net/sfu/bobj-july > > _______________________________________________ > > saxon-help mailing list archived at > > http://saxon.markmail.org/ saxon-help@... > > https://lists.sourceforge.net/lists/listinfo/saxon-help > > > -------------------------------------------------------------- > ---------------- > Let Crystal Reports handle the reporting - Free Crystal > Reports 2008 30-Day > trial. Simplify your report design, integration and > deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > saxon-help mailing list archived at http://saxon.markmail.org/ > saxon-help@... > https://lists.sourceforge.net/lists/listinfo/saxon-help > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ saxon-help mailing list archived at http://saxon.markmail.org/ saxon-help@... https://lists.sourceforge.net/lists/listinfo/saxon-help |
|
|
Re: Some (more) questions about disabling a stylesheetfrom accessing extension functions
by Michael Kay
::
Rate this Message:
> > > > > > I created a stylesheet that uses three kinds of extension > functions: > > > > > > 1. A Java method > > > > > > 2. An EXSLT function > > > > > > 3. A SAXON built-in extension function > > > > > > > > > So, here's what I learned: > > > > > > 1. With extensions turned off (i.e., -ext:off) then all extension > > > functions are disabled except for the SAXON built-in extension > > > functions. > > > > > > 2. With extensions turned on (i.e., -ext:on) then the > stylesheet can > > > invoke Java methods, EXSLT functions, and the SAXON built-in > > > extension functions. > > > > > > Do you agree? Yes, this analysis appears to be correct. > > > > > > I believe that these three kinds of extension functions--Java > > > methods, EXSLT functions, and the SAXON built-in > > > functions--represent all of the kinds of extensions > allowed by SAXON > > > (i.e., there are no other kinds of extension functions). Correct? > > > No, Saxon 9.2 introduces "integrated extension functions", see http://www.saxonica.com/documentation/extensibility/integratedfunctions.html These are not disabled by the -ext:off flag. Michael Kay Saxonica ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ saxon-help mailing list archived at http://saxon.markmail.org/ saxon-help@... https://lists.sourceforge.net/lists/listinfo/saxon-help |
| Free embeddable forum powered by Nabble | Forum Help |
