November 8, 2007

XSLT and XSS attacks

I noticed Robert Robbins was writing about XSS attacks using XSLT: It is possible to extend the power of XSLT using JavaScript embedded into the XSL file. Therefore any web application that allows the user to upload their own XSL file will be vulnerable to Cross Site Scripting attacks. Well, that's ...