Article:		XQuery, the Server Language
Subject:		Security concerns
Date:		2007-06-07 08:02:16
From:		john_judy
What sort of input validation/clean-up functionality does this have? I assume the example in this article was just a simple demonstration, but it leaves a gaping hole for someone to include an XSS attack. Are there namespaces, etc. that can handle this sort of issue?

Previous Message

Next Message

• Security concerns
  2007-06-08 01:11:52 Kurt Cagle [Reply]
  
  The point you raise is valid, though again you're also talking here in this brief article example code meant to showcase a principle, not protect against intrusion.

  
  In a more complete working implementation, security actually happens at a number of levels:

  
  1) Authentication - you can create and maintain authenticated sessions with something like eXist (and most XML databases that I'm aware of.
  2) XML validation - I've shown above the very simple example of query string parameters being passed, but realistically, XQuery really begins to come into its own once you start combining it with an XML generator (such as XForms) on the client. As you can validate such content, this holds a great deal of promise in reducing or even eliminating many types of client/server loopholes.
  3) Modularization (Web Services) - simply put, you declare XQuery functions and do your processing there, possibly with proxies to process incoming requests and filter out potentially bad ones. I'll get into that in a subsequent article.

  
  There are other techniques you can use too, but in general, most of the assumptions about security with SQL databases also carry over into XML ones.