Closed Bug 668484 Opened 13 years ago Closed 13 years ago

XSL stylesheets on local drives don't work

Categories

(Core :: XSLT, defect)

Product:
Core
Component:
XSLT
Platform:
All
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 397894

People

(Reporter: will.pittenger1+mozbugzilla, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Build ID: 20110615151330

Steps to reproduce:

I have an XML file on my hard drive.  Its stylesheet is "../../gallery.xsl".  Firefox 5.0 32-bit (Windows Vista SP4 64-bit) shows only the text in the XML without any tags.  IE9 handles the same exact XML/XSL combination correctly.  werwolf confirmed the problem.  He also uploaded some files and verified that relative paths on a remote server don't have a problem.  My XSL reference is as follows:

<?xml-stylesheet type="text/xsl" href="../../Gallery.xslt"?>


Actual results:

Firefox shows only text nodes from the XML.  It is like it is trying to treat the XML file as HTML.


Expected results:

I was expecting HTML output from this XSL file.  As noted, IE9 processes the XSL correctly.
You need to put the xslt file in the same directory or a subdirectory of the xml file, it can't be outside for security reasons.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Works in Opera and IE, is it really a bug? I dont thing so
Robert Longson, where is it in the specification?

xslt are just style-documment like css is. I mean it should behave the same way. The developer has to set up correctly his server.
See the bug I've duplicated this to for details.
Resolution: INVALID → DUPLICATE
> xslt are just style-documment like css is.

Not quite, actually.  There are some subtle but important differences from a security perspective.
Status: RESOLVED → VERIFIED
Boris could you point me please to the part of spec. where it is spoken about it? I have to fill the bug for Opera. Thanks
There is no spec covering XSLT security issues.  Like many other old W3C specs it was written without any security considerations in mind, which means that just implementing the spec leaves security holes open...
You need to log in before you can comment on or make changes to this bug.