xslt security

[tascien]

Can anyone tell me what security problems that can be encountered when
running xslt transformation on the server side? appart from potential
infinite loops?

Also, I have the below code... why am i being forced to pass the
EVIDENCE... ( all other constructors are marked absolete ) and what is
the evidence anyway? what does it do? I need to pass a string to
transformer.load...

Sub Work()

Dim x As New Xml.XmlDocument
x.Load("sales.xml")
Dim t As New Xml.Xsl.XslTransform

Dim w As New System.IO.StreamReader("transform.xsl")
Dim xr As New System.Xml.XmlTextReader(w)
t.Load(xr, Nothing, New System.Security.Policy.Evidence)
w.Close()

Dim sw As New System.IO.StringWriter
t.Transform(x.CreateNavigator(), Nothing, sw, Nothing)
s = sw.ToString()

End Sub

 

[Cor Ligthert [MVP]]

Tascien,

Security is something seldom answered at least not by me.

However there are some special security newsgroups for dotnet.

microsoft.public.dotnet.framework.security
and
microsoft.public.dotnet.security.

I give you in one of those newsgroups a better change.

Cor

 

[tascien]

thank you

 

[KJS]

thank you

Thanks for the thread - I have posted the exact same questions (but from
a different angle, I have went throught the grueling steps to satisfy
"evidence" and "xmlresolver" etc... but now have this new issue (see
subject below) to the DOTNET.XML forum, subject -
"System.Xml.Xsl.XsltException: Missing mandatory attribute 'version'"

Very interested in your results.

 

[tascien]

Never been able to find out anything more about this subject. As my
software was approaching Alpha release, I did not have enough time to
investigate further... I have a feeling that programmers at Microsoft
are no longer as smart as they used to be. The software that they are
releasing these days are not as Intuitive as they were before...

Compared to its time, classic ASP was a clear and concise concept,
ASP.NET, although with its powers, it has so many questions still not
answered, after i went through the process of building an application
with it. Amongst:

1. the xsl transformation constructors
2. shared hosting with different ASP.NET user account. (they all run
under NETWORK SERVICE)
3. returning an auto-increment ID after inserting a record in ADO.NET
4. debugging on remote computer. (Never been able to set this up
successfully. May be i was doing something wrong... but i kept asking
questions...)
5. sharing .NET project with other programmers at the same time...

those are some of (not all) the questions that went unanswered on
google groups during the last 7 months i was building this new software
based on .NET.

I am not going to ask anymore questions at this time. I will just wait
for .NET 2.0, and hope that things are better there. But i hope... I
hope we don't have the same pain Moving to 2.0, like it was from
classing ASP to .NET.

Sorry to be off topic... but that is my opinion.