'[xsl] XSLT 3.0: Dynamic Evaluation -- inconsistency about treating the document() function'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xsl-list
Subject:    [xsl] XSLT 3.0: Dynamic Evaluation -- inconsistency about treating the document() function
From:       "Dimitre Novatchev dnovatchev () gmail ! com" <xsl-list-service () lists ! mulberrytech ! co
Date:       2015-02-08 23:03:12
Message-ID: 20150208180229.19859 () lists ! mulberrytech ! com
[Download RAW message or body]

The 6th bullet in Section "10.4.1 Static context for the target
expression " of the 2nd Last Call of the W3C XSLT 3.0 Specification:
    http://www.w3.org/TR/2014/WD-xslt-30-20141002/#evaluate-static-context

says:

"Function signatures: All core functions; constructor functions for
named simple types included in the in-scope schema definitions; all
user-defined functions and accumulator functions present in the
containing package provided their visibility is not hidden or private;
and an implementation-defined set of extension functions.

Note that this set deliberately excludes XSLT-defined functions in the
standard function namespace including for example, key, current-group,
and system-property A list of these functions is in G List of
XSLT-defined functions."

Looking in the above-mentioned Appendix G
(http://www.w3.org/TR/2014/WD-xslt-30-20141002/#XSLT-defined-functions),
we find the document() function there.

Therefore, the document function is one of the "deliberately-excluded
XSLT-defined functions" mentioned above, and isn't allowed to be
called inside a dynamically-evaluated XPath expression.

Further in the specification, in section "10.4.2 Dynamic context for
the target expression", at:
http://www.w3.org/TR/2014/WD-xslt-30-20141002/#evaluate-dynamic-context

it is said:

"Note:

For example, a processor may disallow access using the doc or document
functions to documents in local filestore"

From this text it is logical to conclude that the function document()
is actually allowed in an dynamically-evaluatable XPath expression,
and sometimes only its access to local-store resources may be
restricted.

This is in contradiction with the first quotation above, according to
which the document() function is one of the "deliberately-excluded
XSLT-defined functions" mentioned above, and isn't allowed to be
called inside a dynamically-evaluated XPath expression.

My questions:
===========

   1. Which of the two contradicting texts quoted above is right and
which is wrong?

   2. Why function calls to doc()/document() referring to non-local
store is not mentioned as a security risk? What about sending any data
to the remote host, as part of the query component of an URI?


And it certainly will be good to remove this contradiction from the
next version of the XSLT 3.0 specification.

-- 
Cheers,
Dimitre Novatchev
--~----------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
EasyUnsubscribe: http://lists.mulberrytech.com/unsub/xsl-list/651070
or by email: xsl-list-unsub@lists.mulberrytech.com
--~--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic