atom feed2 messages in org.w3.public-qt-commentsRE: XQuery spec doesn't warn about in...
FromSent OnAttachments
Dan ConnollyNov 28, 2005 1:53 pm 
Michael KayNov 28, 2005 2:37 pm 
Subject:RE: XQuery spec doesn't warn about injection attacks
From:Michael Kay (mh@mhk.me.uk)
Date:Nov 28, 2005 2:37:15 pm
List:org.w3.public-qt-comments

It's also worth advising that untrusted queries should not be allowed to execute external (extension) functions or to call the doc() or collection() function with a file:/// URI. Many sites (including W3C and Google) have been known to set up services that allowed execution of untrusted XSLT stylesheets without inhibiting such features.

-----Original Message----- From: publ@w3.org [mailto:publ@w3.org] On Behalf Of Dan Connolly Sent: 28 November 2005 21:54 To: publ@w3.org Cc: Thomas Roessler Subject: XQuery spec doesn't warn about injection attacks

SQL injection attacks are a well-known risk. Surely there's an analog for XQuery. Please warn about them.

http://www.w3.org/TR/xquery/#id-security-considerations

(I spent (another) 10 minutes trying to get my bugzilla account working and failed. Rather than punt to the someday pile, I'm sending mail. Sorry.)