You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Pi...@cec.eu.int on 2000/09/22 14:33:13 UTC
RE: [Cocoon Users] Re: Xalan and Cocoon gives different result fo
r some XSL
Isn't that what Open Source means ?
Pierre A.
> -----Original Message-----
> From: Stephen Zisk [mailto:szisk@mediabridge.net]
> Sent: Thursday, September 21, 2000 20:26
> To: cocoon-users@xml.apache.org
> Subject: Re: [Cocoon Users] Re: Xalan and Cocoon gives
> different result
> fo r some XSL
>
>
> Be careful of security implications, though. That is, make
> sure you do not
> make this capability work such that if there is a file
> mumble.xml, you can
> see its source by pointing to mumble.xmls. This is a
> convenient scheme for
> certain kinds of debugging, but if you forget to turn it off, you are
> exposing your XML source to prying eyes. M$ did this in early
> versions of ASP.
>
> > > I am now thinking of for all XML with filename .xmls, the apache
> >server
> > > will use another servlet etc. to pretty print it.
> > >
> > > If there is already a similar sol'n, that would be
> appreciated also.
> >
> >Within the examples dir there is a file called
> view_source.xml i believe
> >that can do this for you... I think this can be easily
> transformed to a
> >servlet which does that always for you... when the extension
> of a file
> >is .xmls (like phps for php)...
> >
> >Peter
>
> ----------
> Stephen Zisk MediaBridge Technologies
> email: szisk@mediabridge.net 100 Nagog Park
> tel: 978-795-7040 Acton, MA 01720 USA
> fax: 978-795-7100 http://www.mediabridge.net
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
> For additional commands, e-mail: cocoon-users-help@xml.apache.org
>
Re: [Cocoon Users] Re: Xalan and Cocoon gives different result fo r some XSL
Posted by Andrew Wat <cs...@cs.ust.hk>.
Hello,
> That being said, you could implement the source viewing extension with
> zero programming by using the sample view-source application and one
> apache rewrite rule to do the following transformation on the uri:
>
> /foo/bar.xmls -> /view-source?filename=/docroot/foo/bar.xml
Thanks for this pointer.
I think I can conclude that I cannot use the particular XSL that I want
to use (which has the collapsable tree JavaScript effect) unless I
tweak around with view-source XSP to incorporate this particular XSL.
I also thank others pointing out the security issue.
Thanks
Andrew
Re: [Cocoon Users] Re: Xalan and Cocoon gives different result fo r some XSL
Posted by Jason T <l-...@ahab.com>.
On Fri, Sep 22, 2000 at 03:53:08PM -0400, Stephen Zisk wrote:
>
> Of course, masking the XML source cannot make up for lazy design or poorly
> implemented security, but exposing the source may be a potential unlocked
> door for knob twisters.
This is all very true... a careful reading of news reports about hacks
(even in contests) reveals that unprotected or insecurely designed web
applications may be responsible for more site cracks than you'd
normally think.
That being said, you could implement the source viewing extension with
zero programming by using the sample view-source application and one
apache rewrite rule to do the following transformation on the uri:
/foo/bar.xmls -> /view-source?filename=/docroot/foo/bar.xml
RE: [Cocoon Users] Re: Xalan and Cocoon gives different result
fo r some XSL
Posted by Stephen Zisk <sz...@mediabridge.net>.
>Isn't that what Open Source means ?
>
>Pierre A.
I'm not sure whether to take this as a tease or not. Ah, well! My friends
say I'm too serious anyway.
The fact that Cocoon itself is open source does not mean you want to
display the source XML file to all end users who request it. Cocoon should
be able to manage things on sites where security and privacy have value.
Specifically, if you are trying to implement any kind of user or role
separation, managing private user data, etc, by storing info in an XML file
being served by Cocoon, or if you implement security using xsp code, you
may want the transformed file to be served to the end user but not the
source XML.
Of course, masking the XML source cannot make up for lazy design or poorly
implemented security, but exposing the source may be a potential unlocked
door for knob twisters.
Regards,
----------
Stephen Zisk MediaBridge Technologies
email: szisk@mediabridge.net 100 Nagog Park
tel: 978-795-7040 Acton, MA 01720 USA
fax: 978-795-7100 http://www.mediabridge.net