This is the mail archive of the
xsl-list@mulberrytech.com
mailing list .
Re: http request - unexpected characters after document end
- To: xsl-list at lists dot mulberrytech dot com
- Subject: Re: [xsl] http request - unexpected characters after document end
- From: Oleg Tkachenko <olegt at multiconn dot com>
- Date: Thu, 30 Aug 2001 11:47:08 +0200
- Organization: Multiconn International
- References: <000601c13126$f2be2370$a301a8c0@3d38kw1n0b1udc>
- Reply-To: xsl-list at lists dot mulberrytech dot com
Tim Watts wrote:
> I have never known anyone to use document() to call a XML by its full URL
> (http://www.google.com), and am unsure if the specifications for XSLT allow
> including an XML which isn't on your own server.
>
> As far as I know, server-side includes (SSI) don't allow includes of other
> host names
>
> ie - you can't do
> <!--# include virtual = "http://www.yahoo.com/include.html" -->
> only
> <!--# include virtual = "/path/include.htm" -->
>
> I would assume this would be the same for document()
>
> Anyone know? - I checked out the spec and I couldn't see anything which
> explicitly said you could or couldn't do this, nor was their anything I
> could find in the XSLT books I've got lying around.
Anyway it's security issue. And I believe implementors have to perform
the cheching.
Consider the following xml and stylesheet:
test.xml:
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="style.xsl" type="text/xsl"?>
<root></root>
style.xsl:
<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('file://C:/sample.xml')"/>
</xsl:template>
</xsl:stylesheet>
Being loaded from inet (try http://www.tkachenko.org/xsl/test.xml), it
produce "Access is denied" error in ie5.5, particularly for me.
--
Oleg Tkachenko
Multiconn International
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list