Hi Konstantin, > -----Original Message----- > From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] > Sent: Thursday, October 3, 2013 1:36 PM
> The file mentioned in external entity declaration is loaded (via > entity resolver) and its text is inserted as is in the specified > place, > > > My impression from the last time that I checked this feature, two or > more years ago, is that it is security limitation in those particular > browsers. > > (Especially in IE. I think that older Firefox versions did process > the entity and did show the menu, but I do not see this behaviour with > the current version. Currently both IE 10 and Firefox 24 behave the > same for Tomcat 7 docs). > > There were security issues in processing of external entities in XML > in old versions of IE. If I remember correctly, it allowed to read > some arbitrary files. > > (I thought that it was an old story, but quick search finds recent > issues, announced in September 2013, > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3159 > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3160 Thank you for the explanation. It makes sense that this is disabled because of security concerns. E.g. I was able to make IE8 reading an arbitrary local file and report the contents with JavaScript, when opening a local .xml file (but not when opening a http://... URL). > It is nice that you found the $project as the way to implement this. > Though I do no see any use of the menu except showing the actual > layout of the page. The menu itself is useless, as > > a) it has links to *.html documents, not *.xml ones. > b) none other xml documents have stylesheet directive > > > I do not care much of the menus. I do care that the file is readable > when I browse the changelog locally (via file:// protocol) as a > preview before committing a change. Your $project recipe does work > here and it is good. > > By the way, just for information, a similar security issue: > I once tried to apply the same XSLT trick in Tomcat Native > miscelaneous/changelog.xml as > <?xml-stylesheet type="text/xsl" href="../style.xsl"?> > > That It did not work when browsing locally. The problem is that > browsers refuse to load stylesheet from parent directory > ("../style.xsl") because of security concerns. > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org Regards, Konstantin Preißer --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
