Fredrik Lundh wrote:
Martijn Faassen wrote:
One thing that I wonder about is potential security issues? Are there ways to break out of the Python regexs and call arbitrary python code? If not, then we don't need to worry about it. XSLT can be run from fairly unsafe sources so this may be a concern.
you can "hang" RE if you want (by crafting a really lousy RE that causes excessive backtracking), but since you can "hang" any XML parser that supports internal DTD:s (google for the "billion laughs attack"), I'm not sure how serious this is.
I wouldn't accept XSLT programs from untrusted sources, though...
Agreed that accepting any programs from untrusted sources is dangerous, but it depends also a bit on exactly how untrusted your sources are. I just wanted to make sure we didn't get some kind of potential privilege escalation where people from XSLT could trigger Python by cleverly crafted regexes using some specific extension in Python that I don't know about. Apparently this is safe. Regarsd, Martijn