Home

XSLT Blender - overview

XSLT Blender is a mix of old-school and newfangled document processing logic, delivered safely to your browser for local use.

An HTML page with some lightweight Javascript provides an application space. The contents of the page, however, are not provided statically, but rather are generated dynamically from a source data file (encoded in XML), typically although not necessarily loaded by the user. This dynamic production enables pages that are pre-wired for application logic, while never requiring any data be moved off the user's system, since the application has come to the user. Small code bases can underlie logic customized and tuned to the use case, and deployment requires only a plain web server. Applications well-suited for the framework include preview/display, analytic applications, 'reflection', data and code polling and auditing, anonymization/sanitization, and a host of others. See the portal for demonstrations.

Systems security and XML/XSLT

This site and its resources are provided as part of ongoing research into the security implications of open, standards-based declarative formats, using a small set of applications based on XML/XSLT (technologies standardized at the Worldwide Web Consortium) as exempla and test (proof) cases.

Some of the underlying security principles to be demonstrated are implicit and not well understood; this site hopes to help elucidate them. On the whole, one of the project goals is to help surface, by example, what those principles are, including:

• Specification and exposition of deterministic, traceable processes (I/O)
• Testability and verifiability
• Unencumbered and equitable access and availability
• "Transparency by default" into data, policies and process

The applicability of these principles will never be absolute. "Transparency by default", for example, does not override requirements for confidentiality; indeed the principle in application must recognize how "by default" does not mean "always" or "total".

DISCLAIMERS

As research product representing the perspectives of the contributors, this work is subject to disclaimers:

The opinions, recommendations, findings, and conclusions in this publication do not necessarily reflect the views or policies of NIST or the United States Government.

Certain software applications and platforms are identified in this site for purposes of explanation and demonstration. Such identification does not imply recommendation or endorsement of any product or service by NIST, nor does it imply that the software identified is necessarily the best available for any purpose.

On this wiki

This wiki is conceived of as a workspace of hypomnemata or memoranda in progress towards more finished and polished presentations of the same ideas and principles.

Please feel free to contact the authors with ideas and feedback, or cite freely, with attribution.

(And see the contents listing panel to the right.)

Architecture - Applications delivered from this portal use the same libraries, but each one is distinct and independent. The architectural pattern they follow is the same. It is optimized for distribution of capability, not data - that is, this is not about publishing information at scale, but about making tools available that let people use the information they have, in new and better ways, safely, securely and maintainably. Because all the components are standards-based, they can also be factored out and reused in other systems.

Assessment - An XSLT-based system, designed to consume XML data, is layered and standards-based, so assessing it requires a holistic approach.

The technology stack is implemented in Typescript, Javascript, CSS, and XSLT, with additional XML resources. It presumes commodity tooling in your browser as described in Architecture page. An assessment can be made of an individual project, while the same assessment of the library and dependencies will serve for any project, taking into consideration its use case.

Controls - See this page for a review of some SP 800-53 controls supported by this system.