Eval

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Eval

Alex Muir
Hi,

I've come across an xslt best practices document which suggests to avoid the use of eval() that dynamically construct an xpath from a string because there is no static type checking of the xpath and may have errors only detected at run time and is difficult to debug as there will be no stack trace.

I'm wondering how accurate that statement is in the case of saxon:eval()?

I note that test is likely now there old and there is now xsl:evaluate for which saxon's implementation uses caching.
http://www.w3.org/TR/xslt-30/#evaluate-effect which has a list of security implications associated.

I assume it's recommended to use xsl:evaluate over eval()?


-

Regards
Alex Muir
www.tilogeo.com

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
saxon-help mailing list archived at http://saxon.markmail.org/
[hidden email]
https://lists.sourceforge.net/lists/listinfo/saxon-help 
Reply | Threaded
Open this post in threaded view
|

Re: Eval

Michael Kay
The main danger with dynamic evaluation is the possibility of injection attacks. The best way of avoiding that risk is to avoid constructing queries where any part of the expression to be evaluated comes directly from end user input. For example, using variables in your XPath expression is much better than putting literals into the expression by string concatenation.

The debugging and performance disadvantages of dynamic evaluation are exactly the same whether you use XSLT 3.0 xsl:evaluate or the old saxon:evaluate() extension function.

With XSLT 3.0 another possibility to consider is higher order functions. They don't replace all use cases for dynamic evaluation, but they replace quite a few.

xsl:evaluate gives more control over the static and dynamic context for the XPath evaluation; it's generally more "feature rich" in areas like being able to set the namespace context. Also, as mentioned, the implementation uses caching of compiled expressions for performance, whereas the saxon:expression/saxon:eval design relies on explicit pre-compilation of expressions that you intend to evaluate more than once.


Michael Kay
Saxonica
+44 (0) 118 946 5893




On 20 Jan 2015, at 15:56, Alex Muir <[hidden email]> wrote:

Hi,

I've come across an xslt best practices document which suggests to avoid the use of eval() that dynamically construct an xpath from a string because there is no static type checking of the xpath and may have errors only detected at run time and is difficult to debug as there will be no stack trace.

I'm wondering how accurate that statement is in the case of saxon:eval()?

I note that test is likely now there old and there is now xsl:evaluate for which saxon's implementation uses caching.
http://www.w3.org/TR/xslt-30/#evaluate-effect which has a list of security implications associated.

I assume it's recommended to use xsl:evaluate over eval()?


-

Regards
Alex Muir
www.tilogeo.com
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet_______________________________________________
saxon-help mailing list archived at http://saxon.markmail.org/
[hidden email]
https://lists.sourceforge.net/lists/listinfo/saxon-help


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
saxon-help mailing list archived at http://saxon.markmail.org/
[hidden email]
https://lists.sourceforge.net/lists/listinfo/saxon-help