RE: XQuery spec doesn't warn about injection attacks - Michael Kay - org.w3.public-qt-comments

2 messages in org.w3.public-qt-commentsRE: XQuery spec doesn't warn about in...

From	Sent On	Attachments
Dan Connolly	Nov 28, 2005 1:53 pm
Michael Kay	Nov 28, 2005 2:37 pm

Subject:	RE: XQuery spec doesn't warn about injection attacks
From:	Michael Kay (mh...@mhk.me.uk)
Date:	Nov 28, 2005 2:37:15 pm
List:	org.w3.public-qt-comments

It's also worth advising that untrusted queries should not be allowed to execute external (extension) functions or to call the doc() or collection() function with a file:/// URI. Many sites (including W3C and Google) have been known to set up services that allowed execution of untrusted XSLT stylesheets without inhibiting such features.

-----Original Message----- From: publ...@w3.org [mailto:publ...@w3.org] On Behalf Of Dan Connolly Sent: 28 November 2005 21:54 To: publ...@w3.org Cc: Thomas Roessler Subject: XQuery spec doesn't warn about injection attacks

SQL injection attacks are a well-known risk. Surely there's an analog for XQuery. Please warn about them.

http://www.w3.org/TR/xquery/#id-security-considerations

(I spent (another) 10 minutes trying to get my bugzilla account working and failed. Rather than punt to the someday pile, I'm sending mail. Sorry.)

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets