It's also worth advising that untrusted queries should not be allowed to
execute external (extension) functions or to call the doc() or collection()
function with a file:/// URI. Many sites (including W3C and Google) have
been known to set up services that allowed execution of untrusted XSLT
stylesheets without inhibiting such features.
[mailto:publ...@w3.org] On Behalf Of Dan Connolly
Sent: 28 November 2005 21:54
Cc: Thomas Roessler
Subject: XQuery spec doesn't warn about injection attacks
SQL injection attacks are a well-known risk. Surely there's an analog
Please warn about them.