Security Policy #33
Description
The library needs to have a general-purpose mechanism for security policies.
Anywhere that an external resource is accessed, such as external DTDs, XInclude, xsl:import, xsl:include, a security policy must control the access. The library will provide a default policy that the application can override.
Discussed in #32
Originally posted by Devasta August 16, 2022
Hi Steve,
External DTDs, just wondering if it's ok that I put a restriction on the processor that the user must provide a pre-approved list of URLs for the DTDs, possibly as command line args or in some config file? Figure it'd be a bit of a security risk otherwise.
I'll probably also create a folder somewhere that'll hold popular DTDs like XHTML.
Let me know what you think.