RE: [Cocoon Users] Re: Xalan and Cocoon gives different result fo r some XSL

[Pi...@cec.eu.int]

Isn't that what Open Source means ?

Pierre A.

> -----Original Message-----
> From: Stephen Zisk [mailto:szisk@mediabridge.net]
> Sent: Thursday, September 21, 2000 20:26
> To: cocoon-users@xml.apache.org
> Subject: Re: [Cocoon Users] Re: Xalan and Cocoon gives 
> different result
> fo r some XSL
> 
> 
> Be careful of security implications, though. That is, make 
> sure you do not 
> make this capability work such that if there is a file 
> mumble.xml, you can 
> see its source by pointing to mumble.xmls. This is a 
> convenient scheme for 
> certain kinds of debugging, but if you forget to turn it off, you are 
> exposing your XML source to prying eyes. M$ did this in early 
> versions of ASP.
> 
> > > I am now thinking of for all XML with filename .xmls, the apache
> >server
> > > will use another servlet etc.  to pretty print it.
> > >
> > > If there is already a similar sol'n, that would be 
> appreciated also.
> >
> >Within the examples dir there is a file called 
> view_source.xml i believe
> >that can do this for you... I think this can be easily 
> transformed to a
> >servlet which does that always for you... when the extension 
> of a file
> >is .xmls (like phps for php)...
> >
> >Peter
> 
> ----------
> Stephen Zisk                      MediaBridge Technologies
> email:  szisk@mediabridge.net     100 Nagog Park
> tel:    978-795-7040              Acton, MA 01720    USA
> fax:    978-795-7100              http://www.mediabridge.net
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
> For additional commands, e-mail: cocoon-users-help@xml.apache.org
> 

Re: [Cocoon Users] Re: Xalan and Cocoon gives different result fo r some XSL

[Andrew Wat <cs...@cs.ust.hk>]

Hello,

> That being said, you could implement the source viewing extension with
> zero programming by using the sample view-source application and one
> apache rewrite rule to do the following transformation on the uri: 
> 
> /foo/bar.xmls -> /view-source?filename=/docroot/foo/bar.xml

Thanks for this pointer.
 
I think I can conclude that I cannot use the particular XSL that I want
to use (which has the collapsable tree JavaScript effect) unless I
tweak around with view-source XSP to incorporate this particular XSL.

I also thank others pointing out the security issue.

Thanks
Andrew

Re: [Cocoon Users] Re: Xalan and Cocoon gives different result fo r some XSL

[Jason T <l-...@ahab.com>]

On Fri, Sep 22, 2000 at 03:53:08PM -0400, Stephen Zisk wrote:
> 
> Of course, masking the XML source cannot make up for lazy design or poorly 
> implemented security, but exposing the source may be a potential unlocked 
> door for knob twisters.

This is all very true... a careful reading of news reports about hacks
(even in contests) reveals that unprotected or insecurely designed web
applications may be responsible for more site cracks than you'd
normally think.

That being said, you could implement the source viewing extension with
zero programming by using the sample view-source application and one
apache rewrite rule to do the following transformation on the uri: 

/foo/bar.xmls -> /view-source?filename=/docroot/foo/bar.xml

RE: [Cocoon Users] Re: Xalan and Cocoon gives different result fo r some XSL

[Stephen Zisk <sz...@mediabridge.net>]

>Isn't that what Open Source means ?
>
>Pierre A.

I'm not sure whether to take this as a tease or not. Ah, well! My friends 
say I'm too serious anyway.

The fact that Cocoon itself is open source does not mean you want to 
display the source XML file to all end users who request it. Cocoon should 
be able to manage things on sites where security and privacy have value.

Specifically, if you are trying to implement any kind of user or role 
separation, managing private user data, etc, by storing info in an XML file 
being served by Cocoon, or if you implement security using xsp code, you 
may want the transformed file to be served to the end user but not the 
source XML.

Of course, masking the XML source cannot make up for lazy design or poorly 
implemented security, but exposing the source may be a potential unlocked 
door for knob twisters.

Regards,
----------
Stephen Zisk                      MediaBridge Technologies
email:  szisk@mediabridge.net     100 Nagog Park
tel:    978-795-7040              Acton, MA 01720    USA
fax:    978-795-7100              http://www.mediabridge.net