ansaurus

Question

Why does IE prompt a security warning when viewing an XML file?

Answer 1

+1 A:

IE is still rendering the document even though in the end it's showing you that nice tree view you like. What it is actually showing you is a transformed version of the XML file. IIRC it transforms the the doc to DHTML using XSLT. So the doc is still being run through its rendering engine. If, in the course of rendering the document, a tag shows up that says something like

<object ... />

IE will probably fetch the object and load it into the document. If the object is a malcious ActiveX control or a bit of nasty Java it'll get run.

Ian C. 2010-03-08 02:14:47

Thanks. Sounds like a silly way for them to do it that's almost certainly not what the user wants, but I guess I can understand how it happened now.

Tav 2010-03-08 02:19:46

The XML isn't being rendered, the DHTML produced by the XSLT is. The only way that DHTML would contain an `object` element would be if the XSLT inserted one, and it doesn't. Source elements get transformed with the markup characters escaped; if they weren't, IE wouldn't display them.

Robert Rossney 2010-03-09 15:56:37

Robert: you're absolutely right. See the answer below for the additional discussion.

Ian C. 2010-03-10 03:31:34

Answer 2

+4 A:

I don't think Ian is correct. What's actually going on is that the collapsible tree viewer is HTML, and it includes JavaScript. IE is rendering the XML as colorized, collapsible HTML, and the expand/collapse code is implemented in JavaScript. Then, IE hits the default security policy that prevents it from executing JS in files that are opened from the local filesystem, and it gives you that warning about how "this webpage" is restricted from running scripts.

You can verify this by noting that if you do not choose to "Allow Blocked Content" then the expand/collapse will not function. If you do allow scripts to run, the expand/collapse will suddenly start working.

Joel Mueller 2010-03-08 21:57:42

You're correct, but Ian's point is valid as well.

EricLaw -MSFT- 2010-03-09 05:08:03

Really? I guess I assumed that the XML angle brackets were getting converted to < and > in order to be displayed rather than rendered - which would prevent Ian's example of an `<object/>` tag from loading any sort of malicious code.

Joel Mueller 2010-03-09 08:29:46

Joel, I'm not at home but tonight I'll post the link I had found from the MSDN website that detailed how IE was using XSL (in IE 6) and XSLT (in IE > 6) to convert the XML to DHMTL. It specifically mentions parsing stylesheets included in the XML to produce the final rendering. The scripts stuff is an extrapolation.I can't seem to find the link again here at work, but its in my browser history at home.

Ian C. 2010-03-09 16:01:00

Oh, so it's not about unsafe tags that might be in the XML file, but malicious xsl linked to from the XML file. I get it now, thanks.

Joel Mueller 2010-03-09 18:14:07

Following up. Here's is where I got the info about IE doing an XSLT transform to DHTML: http://xml.silmaril.ie/users/browsers/

Ian C. 2010-03-10 03:30:41

Well, your point (emitted javascript for expand/collapse), Joel, is actually the immediate/direct cause of that information bar.

EricLaw -MSFT- 2010-03-10 05:04:49

ansaurus

tags:

views:

answers:

Why does IE prompt a security warning when viewing an XML file?

related questions