All geek questions in one place

Why does IE request a security warning when viewing an XML file?

Opening an XML file in Internet Explorer provides a security warning. IE has a nice collapsible tree view for viewing XML, but it is disabled by default and you get this scary error message about a potential security hole. http://www.leonmeijer.nl/archive/2008/04/27/106.aspx

But why? How to simply browse an XML file (not run any built-in macros in it or something else), is this a security hole? Of course, I understand that running XSLT can potentially do some bad things, but we are not talking about doing anything. We are talking about watching. Why can't IE just display the XML file as text (plus with expandable tree)?

So why did they designate this as a security hole? Can someone describe how simply viewing an XML document can be used as an attack document?

+4
source share
2 answers

IE is still rendering the document, although at the end it shows you what a nice tree view you like. In fact, this shows you a converted version of the XML file. IIRC converts a document to DHTML using XSLT. Thus, the document is still launched through the rendering engine. If a tag appears during the rendering of a document that says something like

<object ... />

IE is likely to extract the object and load it into the document. If the object is an inactive ActiveX control or a little nasty Java, it will be launched.

+1
source

I do not think that Yang is right. What happens is that the tree viewer that is being deployed is HTML, and it includes JavaScript. IE presents XML as colored, legible HTML, and the extension / anti-aliasing code is implemented in JavaScript. IE then refers to the default security policy, which prevents it from executing JS in files opened from the local file system, and this gives you a warning about how "this web page" is limited to running scripts.

You can verify this by noting that if you did not select "Allow Blocked Content", then there will be no expand / collapse. If you enable scripting, expand / collapse will start working.

+4
source

Source: https://habr.com/ru/post/1303428/

More articles:


All Articles