Closed Bug 435078 Opened 16 years ago Closed 16 years ago
XSLT parser doesn't work in FF 3 RC1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008051206 Firefox/3.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008051206 Firefox/3.0 I installed FF 3 RC1. I have an xml page which has reference to an xslt embedded in the stylesheet declaration. When I open the xml in browser it's supposed to show transformed version of xml. With this version of FF it just displays the plain content of xml. It used work fine in the earlier version of FF. The same xml displays the transformed content in IE. Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: Plain text content of xml file. Expected Results: transformed version of xml(HTML in my case)
Are you opening the xml file locally rather than via a web server? If so is the is the xslt file in the same directory or below that of the xml file?
Yes I'm trying to open a xml file from my file system. I have the xsl file in a different folder, but styltsheet declaration is having the relative path reference to the xslt file. The same file used to work with older version of FF.
It's a security thing. People download files from the internet, hose downloaded files should not then be able to read any file on the disk willy-nilly. You will need to put the XSLT file in the same directory or in a sub-directory of the xml file.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
That sounds hard. I don't get why it should be a security issue. After all I'm using transformation data from the local file system, not even trying to modify it. Is there an article or any sort of document that provides more insight on this security issue? Thanks for the reply.
Resolution: WONTFIX → DUPLICATE
> I don't get why it should be a security issue.
Because if you can reference a file as an XSLT transformation that means you can read the data from file F. It's not a matter of modifying, it's a matter of stealing your financial data.
You need to log in before you can comment on or make changes to this bug.