tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <>
Subject RE: svn commit: r1528631 - /tomcat/trunk/webapps/docs/tomcat-docs.xsl
Date Thu, 03 Oct 2013 13:16:45 GMT
Hi Konstantin,

> -----Original Message-----
> From: Konstantin Kolinko []
> Sent: Thursday, October 3, 2013 1:36 PM

> The file mentioned in external entity declaration is loaded (via
> entity resolver) and its text is inserted as is in the specified
> place,
> My impression from the last time that I checked this feature, two or
> more years ago, is that it is security limitation in those particular
> browsers.
> (Especially in IE.  I think that older Firefox versions did process
> the entity and did show the menu, but I do not see this behaviour with
> the current version. Currently both IE 10 and Firefox 24 behave the
> same for Tomcat 7 docs).
> There were security issues in processing of external entities in XML
> in old versions of IE. If I remember correctly, it allowed to read
> some arbitrary files.
> (I thought that it was an old story, but quick search finds recent
> issues, announced in September 2013,

Thank you for the explanation. It makes sense that this is disabled because of security concerns.
E.g. I was able to make IE8 reading an arbitrary local file and report the contents with JavaScript,
when opening a local .xml file (but not when opening a http://... URL).

> It is nice that you found the $project as the way to implement this.
> Though I do no see any use of the menu except showing the actual
> layout of the page. The menu itself is useless, as
> a) it has links to *.html documents, not *.xml ones.
> b) none other xml documents have stylesheet directive
> I do not care much of the menus. I do care that the file is readable
> when I browse the changelog locally (via file:// protocol) as a
> preview before committing a change. Your $project recipe does work
> here and it is good.
> By the way, just for information, a similar security issue:
> I once tried to apply the same XSLT trick in Tomcat Native
> miscelaneous/changelog.xml as
> <?xml-stylesheet type="text/xsl" href="../style.xsl"?>
> That It did not work when browsing locally.  The problem is that
> browsers refuse to load stylesheet from parent directory
> ("../style.xsl") because of security concerns.
> Best regards,
> Konstantin Kolinko
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Konstantin Preißer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message