This is the mail archive of the xsl-list@mulberrytech.com mailing list .


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: http request - unexpected characters after document end


Tim Watts wrote:

> I have never known anyone to use document() to call a XML by its full URL
> (http://www.google.com), and am unsure if the specifications for XSLT allow
> including an XML which isn't on your own server.
> 
> As far as I know, server-side includes (SSI) don't allow includes of other
> host names
> 
> ie - you can't do
> <!--# include virtual = "http://www.yahoo.com/include.html"; -->
> only
> <!--# include virtual = "/path/include.htm" -->
> 
> I would assume this would be the same for document()
> 
> Anyone know?  - I checked out the spec and I couldn't see anything which
> explicitly said you could or couldn't do this, nor was their anything I
> could find in the XSLT books I've got lying around.

Anyway it's security issue. And I believe implementors have to perform 
the cheching.
Consider the following xml and stylesheet:

test.xml:
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="style.xsl" type="text/xsl"?>
<root></root>

style.xsl:
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" 
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>
	<xsl:template match="/">
		<xsl:copy-of select="document('file://C:/sample.xml')"/>
	</xsl:template>
</xsl:stylesheet>

Being loaded from inet (try http://www.tkachenko.org/xsl/test.xml), it 
produce "Access is denied" error in ie5.5, particularly for me.

-- 
Oleg Tkachenko
Multiconn International


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]