Cart
[Home] [By Thread] [By Date] [Recent Entries]
Jim, first of all, thank you so much for the pointers. This is just awful. It really hurts. This essentially nukes an entire branch of applications. It prevents us now from fully taking advantage of the seperation between data and presentation. It is a feature, not a bug, to have data and presentation in different locations, different locations *on the web*. And this feature is so much bigger than allowing some script hacking inside XSL thru <msxsl:script>. I'm angry, frustrated and very sad about this observation, - Sebastian -----Ursprüngliche Nachricht----- Von: Jim Ancona Gesendet: Do 08.08.2002 18:10 An: xml-dev@l... Cc: Sebastian Schnitzenbaumer Betreff: RE: What the .... ? Referencing XSL stylesheets across domains --- Sebastian Schnitzenbaumer <schnitz@m...> wrote: > http://markuplanguage.oss4u.de/test3.xml > references http://www.w3.org/Style/XSL/stylesheets/public2html.xsl > > This works in Mozilla (the result looks bogus, I'm just testing), my IE6 > says access denied. I just want to hear from someone "yes, this is true, > we've known this for years, or, no, actually it does work, you must > have some other bug". Please let me know... Note that MSDN[1] says the URI in the xsl-stylesheet PI "is the Uniform Resource Identifier (URI) of the style sheet. This URI is relative to the location of the XML document itself." The W3C REC that defines the PI[2] has no such restriction. Since Microsoft allows the <msxsl:script> extension which permits embedded script code in stylesheets, it might be that this behavior is designed to prevent some kind of cross-site scripting exploit. Jim [1] - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsdk/ htm/xml_concepts_369f.asp [2] - http://www.w3.org/TR/xml-stylesheet/ ===== Jim Ancona jim@a... jancona@x... __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com
|
