atom feed2 messages in org.w3.public-qt-commentsRE: XQuery spec doesn't warn about in...
FromSent OnAttachments
Dan ConnollyNov 28, 2005 1:54 pm 
Michael KayNov 28, 2005 2:37 pm 
Subject:RE: XQuery spec doesn't warn about injection attacks
From:Michael Kay (
Date:Nov 28, 2005 2:37:37 pm

It's also worth advising that untrusted queries should not be allowed to execute external (extension) functions or to call the doc() or collection() function with a file:/// URI. Many sites (including W3C and Google) have been known to set up services that allowed execution of untrusted XSLT stylesheets without inhibiting such features.

-----Original Message----- From: [] On Behalf Of Dan Connolly Sent: 28 November 2005 21:54 To: Cc: Thomas Roessler Subject: XQuery spec doesn't warn about injection attacks

SQL injection attacks are a well-known risk. Surely there's an analog for XQuery. Please warn about them.

(I spent (another) 10 minutes trying to get my bugzilla account working and failed. Rather than punt to the someday pile, I'm sending mail. Sorry.)