To my way of thinking, there is an aspect of "security" associated with language compilers.  It is related to how faithful the translation is to the original source code intent.  There are two aspects to this.  First, does the resulting translation embody the instructions of the original and only those instructions with nothing extraneous added.  One partial measure of this is the size of the existing bug list.

Second, does the presence of syntactically or semantically incorrect source result in a usable set of (perhaps) unintended instructions.  As I understand it, it was one of the reasons why that Ada language designers (yup, I'm old enough to remember that effort) not only specified what happened with correct source programs, but also what the compiler should do on the various possible errors.  Whenever a spec has a statement like "the result of an error is left up to the implementation", all bets are off as par as incorrect sources are concerned.

Just my $0.02.


At 04:06 PM 10/16/2009, you wrote:
"urn:schemas-microsoft-com:vml" xmlns:o = "urn:schemas-microsoft-com:office:office" xmlns:w = "urn:schemas-microsoft-com:office:word" xmlns:m = "">
No, there's no such assessment available.
I'm not quite sure how one would go about such an assessment. Saxon is not trying to protect or prevent anything, so the risk of it failing to do so is nil. It's basically a language compiler - I don't know what is meant by the "security" of a compiler.
The only known security issue with Saxon has been the problem that can arise if you allow untrusted stylesheets to run in a sensitive environment: Code written in XSLT and XQuery is code like any other, and if you don't trust code then you shouldn't run it. Sounds too obvious to me to be classed as a "vulnerability", but it's a mistake people have made, so it's worth pointing out.


Michael Kay

From: Brian Newman []
Sent: 16 October 2009 15:49
Subject: [saxon] Security

Im developing an XSL based solution for the US Navy whose data needs to be held secure.

Ive not been able to find any information on Saxonica regarding what its security vulnerabilities are (security vulnerabilities of the processor, not XSL in general).  Basically, I need some sort of security profile info that I can hand to my boss so he can make a determination as to whether we can use Saxonica.

Is that information available somewhere?


Brian Newman CISSP

Software Engineer

Network Security Systems Plus, Inc.

5205 Leesburg Pike, Suite 1502

Falls Church, Virginia 22041




Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
saxon-help mailing list archived at