Hi,

We are providing an cloud based application development environment with using the basex database. We want to allow developers can write xquery commands to access database but some security issues has appeared.

For example " file:list('c:/') " query returns the list of C:\ directory. 

Is it possible to exclude some of modules from basex engine or is there any other way to execute query in sandbox environment which allows only FLWOR expressions and basic modules like "Math".

Scanning "file:" like prefixes may be a solution but maybe there is a better way to do it.

Thank you for help.

--
Ertan TİKE