Re: [xml] Re: [xslt] libxslt effects on _private member of libxmlstructures

Luca Padovani <lpadovan@CS.UniBO.IT> writes:

>>   For the stylesheet compilation, the document is modified and 
>> _private is used to attach the compiled operations to the nodes
>> in the stylesheet tree.
> This may be OK as we assume the stylesheet becomes "opaque" after it is
> compiled, even though a malicious user could in principle remember the
> original DOM document...
>>   For the input documents, _private is used only when key() are
>> defined to attach the keys to the nodes.
> [...]
> So this is a problem (for Gdome2).

Gosh, this sounds true scary! It is not just gdome2 relaying on
application data stored in _private and there might be quite
practical, and definitely not malicious, reasons for remembering nodes
from both the input-document and xslt-stylesheet trees.

-- Petr

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]