April 26, 2006
9:09 a.m.
Martijn Faassen wrote:
Stefan Behnel wrote: [snip]
Also, remember that the document() function can be used to access local XML files. That may already be a risk in some cases.
Good point. The custom resolver story could help against that, right?
Right. As long as you return anything but None from the Python resolvers, it will be parsed and handed directly back to libxslt. So, if you want to keep libxslt from doing any access to network or hard-disk, it "should" (untested) be enough to write a dummy resolver that returns a dummy or the empty document (resolve_empty()). Stefan