Can XQuery/XPath contribute to attack vectors?

Raised by:
Stephen Farrell
Opened on:
See the disposition of ACTION-3; in particular the note at [1]. The basic
question is how xpath and xquery, when used in conjunction with Web content, can
contribute to attacks against the secure display of security context information.

The expectation is to revisit this issue when there is an actual draft of the
techniques document.

Related Actions Items:
No related actions
Related emails:
  1. Agenda: WSC WG distributed meeting, Wednesday, 2007-12-05 (from on 2007-12-04)
  2. Re: ACTION-332 OPEN Elaborate on ISSUE-3 Stephen Farrell 2007-11-13 (from on 2007-11-26)
  3. WSC Open Action Items (from on 2007-11-26)
  4. Meeting record: WSC WG f2f 2007-11-06 (from on 2007-11-21)
  5. Draft minutes: WSC WG 2007-11-06 (from on 2007-11-17)
  6. WSC Open Action Items (from on 2007-11-16)
  7. WSC Open Action Items (from on 2007-11-09)
  8. ISSUE-3: Can XQuery/XPath contribute to attack vectors? (from on 2007-11-06)
  9. Re: ISSUE-37: qualify your interrupts (from public comments) (from on 2007-04-18)
  10. Re: ISSUE-38: no safe haven in presentation space (from public comments) (from on 2007-04-18)
  11. Re: ISSUE-39: cooperate with WAI-ARIA \\\'politeness\\\' (from public comments) (from on 2007-04-18)
  12. Re: ISSUE-34: Formal studies don\\\'t cover disability access adequately, use experts too - (public comment) (from on 2007-04-17)
  13. Re: ISSUE-35: information overload/underload -- no oneSizeFitsAll (public comment) (from on 2007-04-17)
  14. Re: ISSUE-36: presentation norms -- no oneSizeFitsAll (from public comments) (from on 2007-04-17)
  15. Re: ISSUE-33: Charter retains authority Review of Note (from on 2007-04-16)
  16. ISSUE-3: Can XQuery/XPath contribute to attack vectors? (from on 2006-11-21)

Related notes:

Logged under Section 11. Security Considerations.

Anil Saldhana, 20 Jan 2008, 09:01:49

forgot to put the identifier - follow this thread

Mary Ellen Zurko, 21 Mar 2008, 17:28:21

Display change log ATOM feed

Mary Ellen Zurko <>, Chair, Thomas Roessler <>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 3.html,v 1.1 2010/10/11 09:35:16 dom Exp $