Open crism opened 7 years ago
Yes, great catch! I've been meaning to validate the values against Scalar's list of archives (archives.rdf). Will add to the list.
@crism Would you be able to put this on our repository as a pull request?
Has this been included into anvc/scalar's repository?
When loading media resources from a remote service, the XSL transformation file is specified in the form submission parameters as a URI. The Scalar server fetches this resource from the specified URI and applies it; the form submission could easily be presented with a maliciously-crafted XSLT, and Scalar will naïvely execute it. The remote-resource processing XSLT should only be loaded from the local filesystem, installed with Scalar or with a trusted plugin.