2013/10/3 Konstantin Preißer <kpreis...@apache.org>: > Hi, > >> -----Original Message----- >> From: kpreis...@apache.org [mailto:kpreis...@apache.org] >> Sent: Wednesday, October 2, 2013 11:25 PM > >> - <xsl:apply-templates select="project/body/menu"/> >> + <xsl:apply-templates select="$project/body/menu"/> > > The previous version seemed to use the <project> tree that is loaded from > project.xml by the "&project;" entity that is placed on top of the <document>: > > <document url="monitoring.html"> > > &project; > > <properties> > <title>Monitoring and Managing Tomcat</title> > </properties> > [...] > > Which is declared in the doctype: > > <!DOCTYPE document [ > <!ENTITY project SYSTEM "project.xml"> > ]> > > However, Firefox and IE didn't seem to load the content from "project.xml", > so when viewing changelog.xml > (http://svn.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml) the > LHS menu, project title etc. were not visible. > > When using the $project variable (which is filled with the tree from > project.xml by XSLT via document() function), then everything works. > > Does somebody know why that &project; entity did not work in such browsers? > > I do not have such detailed knowledge of XML - how is this entity supposed to > work? E.g. when I open a file like monitoring.xml in Tomcat docs then the XML > tree shown by the browser does not contain a <project> element.
The file mentioned in external entity declaration is loaded (via entity resolver) and its text is inserted as is in the specified place, My impression from the last time that I checked this feature, two or more years ago, is that it is security limitation in those particular browsers. (Especially in IE. I think that older Firefox versions did process the entity and did show the menu, but I do not see this behaviour with the current version. Currently both IE 10 and Firefox 24 behave the same for Tomcat 7 docs). There were security issues in processing of external entities in XML in old versions of IE. If I remember correctly, it allowed to read some arbitrary files. (I thought that it was an old story, but quick search finds recent issues, announced in September 2013, http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3159 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3160 It is nice that you found the $project as the way to implement this. Though I do no see any use of the menu except showing the actual layout of the page. The menu itself is useless, as a) it has links to *.html documents, not *.xml ones. b) none other xml documents have stylesheet directive I do not care much of the menus. I do care that the file is readable when I browse the changelog locally (via file:// protocol) as a preview before committing a change. Your $project recipe does work here and it is good. By the way, just for information, a similar security issue: I once tried to apply the same XSLT trick in Tomcat Native miscelaneous/changelog.xml as <?xml-stylesheet type="text/xsl" href="../style.xsl"?> That It did not work when browsing locally. The problem is that browsers refuse to load stylesheet from parent directory ("../style.xsl") because of security concerns. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
