This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Currently, under 10.4.1 Static context for the target expression (http://www.w3.org/TR/xslt-30/#evaluate-static-context), sixth dot, we say: "Function signatures: All core functions; constructor functions for named simple types included in the in-scope schema definitions; all user-defined functions and accumulator functions present in the containing package provided their visibility is not hidden or private; and an implementation-defined set of extension functions." In the spec, core functions are defined as the set of functions in the standard function namespace "http://www.w3.org/2005/xpath-functions". I think this is too strict. I don't see any reason to disallow math functions or map functions. In addition, I would like to have the ability to limit the range of functions. I.e., I can imagine that implementations would like to prevent usage of doc() and unparsed-text() for obvious security reasons. This, of course, could be a totally implementation defined user option, but it should be possible to have this restriction on by default.
We discussed this issue in Prague. The current definition of 'core functions' appears to need updating to include all the functions in F and O, not just the fn:* functions. (Constructors may need special attention.) On consideration, we leaned toward defining 'core functions' to include fn:* and math:* and map:* and to exclude constructor 'functions' and the op:* pseudo-namespace. In connection with the last paragraph of the issue, the WG inclined to believe that the right solution would be to specify that the set of available documents is empty, or restricted in some way (e.g. no file: URIs). It would probably be useful to have a note mentioning this and specifying that implementations are allowed to restrict the dynamic context.
Changes applied: 1: change the definition of core functions to include the math and map namespaces 2: allow processors to restrict the availability of external documents in xsl:evaluate for security reasons.