Re: [xsl] http request - unexpected characters after document end

Subject: Re: [xsl] http request - unexpected characters after document end
From: Oleg Tkachenko <olegt@xxxxxxxxxxxxx>
Date: Thu, 30 Aug 2001 11:47:08 +0200
Tim Watts wrote:

I have never known anyone to use document() to call a XML by its full URL
(http://www.google.com), and am unsure if the specifications for XSLT allow
including an XML which isn't on your own server.

As far as I know, server-side includes (SSI) don't allow includes of other
host names

ie - you can't do
<!--# include virtual = "http://www.yahoo.com/include.html"; -->
only
<!--# include virtual = "/path/include.htm" -->

I would assume this would be the same for document()

Anyone know?  - I checked out the spec and I couldn't see anything which
explicitly said you could or couldn't do this, nor was their anything I
could find in the XSLT books I've got lying around.

Anyway it's security issue. And I believe implementors have to perform the cheching.
Consider the following xml and stylesheet:


test.xml:
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="style.xsl" type="text/xsl"?>
<root></root>

style.xsl:
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>
<xsl:template match="/">
<xsl:copy-of select="document('file://C:/sample.xml')"/>
</xsl:template>
</xsl:stylesheet>


Being loaded from inet (try http://www.tkachenko.org/xsl/test.xml), it produce "Access is denied" error in ie5.5, particularly for me.

--
Oleg Tkachenko
Multiconn International


XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list



Current Thread