Server-based XSLT transformations -- secure?

Say for the sake of discussion that I wanted to provide a service for people to transform XML documents by uploading their own XSLT files to my server. How insecure is this?

I know XSLT can get you into infinite recursion, but some kind of time limit on the script along with appropriate error handling would probably be enough to make that not too much of an issue. Potentially worse are things like the document() function that can suck any XML document into the stylesheet -- a person could make the server repeatedly download huge XML files in an attempt to cripple the server. I would hope that any XSLT processor I used would allow me to disable the document() function.

Are there any other security considerations to worry about with allowing people to execute arbitrary XSLT on your server?

Permalink | Comments? | Tags: XSLT | id 5000

05:26 (utc-4)

 

Transformation of the military

Here's a great piece at Winds of Change that details some of the transformations our military is currently undergoing. It has lots of links to background information that I'd like to come back and check out later.

Update (July 20): Also see this.

Permalink | Comments? | id 4999

05:12 (utc-4)
edited: 2004-07-20 11:57 (utc-4)