invalid XSLT transformation if local file contains remote stylesheet reference : xml-stylesheet href='http://'




14 years ago
13 years ago


(Reporter: Benjamin Shrom, Assigned: peterv)


Windows XP

Firefox Tracking Flags

(Not tracked)




14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040514
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040514

Suppose we have local (saved on your HD) xml file, which has a reference 
to remote stylesheet such as:
<?xml-stylesheet href="" type="text/xsl"?>

If you open file locally then XSLT transformation displayed in the browser is
invalid. If you open the same file from the browser then everything is fine.
Mozilla also works if you save XSL file locally and point href to the local file
instead of remote http...

Reproducible: Always
Steps to Reproduce:
1. Create stylesheet and place it on the remote server with accessible URL
2. Create local xml file and reffer to the remote stylesheet via
<?xml-stylesheet href="" type="text/xsl"?>
3. Open XML file in Mozilla.

Actual Results:  
Invalid transformation is displayed.

<!-- data file -->
<?xml version="1.0"?>
<?xml-stylesheet href="" type="text/xsl"?>
<jxdm title="xml">
            <section sourceIDtext="22" id="S22" > bar </section>
            <section id="S23" sourceIDtext="23"> baz   </section>
            <another id="S24" sourceIDtext="24">
                <boom> baraz </boom>
                <boom> bazar </boom>
            <section> bar </section>
            <section> baz   </section>
                <boom id="S25" sourceIDtext="25"> baraz </boom>
                <boom id="S26" sourceIDtext="26"> bazar </boom>

<!---- Stylesheet ----------->
<?xml version="1.0"?>
<xsl:stylesheet version="1.0"


  <xsl:variable name="location" select="''"/>
  <!-- Templates used to generate text content -->  

  <xsl:template match="/child::*[1]">
        <title>Data View</title>
        <style type="text/css">
          body { font-size: smaller }
          div, img { border: 0px; margin: 0px; padding: 0px }
          div.Node * { vertical-align: middle }
        <b><xsl:value-of select="name()"/></b>
        <xsl:apply-templates mode="line"/>

  <!-- Show each tree line -->
  <xsl:template match="*" mode="line">
    <div class="Node">
      <xsl:call-template name="graft"/>
      <xsl:apply-templates select="." mode="item"/>
    <xsl:apply-templates  select="child::*" mode="line"/>
  <xsl:template match="*" mode="item">
      <b><xsl:value-of select="name()"/></b>
      <xsl:text> [  </xsl:text>      
        <xsl:for-each select="@*">
            <i><xsl:value-of select="name()"/></i><xsl:text> =
"</xsl:text><xsl:value-of select="."/><xsl:text>" </xsl:text>
      <xsl:text> ] </xsl:text>
      <xsl:value-of select="text()"/>
  <!-- Templates used to generate the "stick stack" of
       tree connectors -->

  <xsl:template name="graft">
    <!-- Generate ancestor connectors -->
    <xsl:apply-templates select="ancestor::*" mode="tree"/>

    <!-- Generate current-node connector -->
      <xsl:when test="following-sibling::*">
        <img src="{$location}/tree_tee.gif"/>
        <img src="{$location}/tree_corner.gif"/>

  <!-- Suppress ancestor connector for the top node -->

  <xsl:template match="/child::*[1]" mode="tree"/>

  <!-- Show ancestor connectors for all other node types -->

  <xsl:template match="*" mode="tree">
      <xsl:when test="following-sibling::*">
        <img src="{$location}/tree_bar.gif"/>
        <img src="{$location}/tree_spacer.gif"/>

Mozilla doesn't allow cross domain XSLT. Meaning that the XML file and the XSLT
file has to be located on the same domain. The file protocol is a different
'domain' from anything loaded through http which means that mozilla won't
perform any XSLT operations.
Last Resolved: 14 years ago
Resolution: --- → INVALID

Comment 2

14 years ago
Then maybe Mozilla should report an error instead of invalid XSLT transformation?
Or some kind of message letting the user know that the stylesheet is invalid or
located on the different domain and just display XML?
please note that we don't perform an 'invalid transform', the XSLT is ignored

Comment 4

14 years ago
If XSLT ignored completely, then original XML should be displayed?
However, this is not the case. 
I apologize for being persistent :-).


The original XML is displayed. However not using the fancy xml-viewer (also
known as xml prettyprint). That one is only used for compleatly unstyled
documents where the author didn't even try, or intend, for the document to be
styled. That is not the case here, the author tried to style it but failed.

This means that we will use CSS styling to display the XML, which in the lack of
stylesheets will mean that all the text in the XML is lined up as a single line
of text.

Comment 6

13 years ago
This also applies to xsl specified as a chrome url. and applied to either remote
or local files. 
Yhis prevents extensions from shipping with an fixed xsl transform which is
applied to pages as required.

Is this restriction really necessary?
We _defenetly_ don't want remote or local files to be able to read from
_chrome_. Data (which includes stylesheets) that is installed on the local
mashine can contain highly sensitive information.

If you want to make an extension that performs xslt transformations then let the
extension install some hook that the page can call and then let the extension do
the transformation itself.
You need to log in before you can comment on or make changes to this bug.