Why is my XSL file no longer being applied to my XML file?
This morning Firefox upgraded to version 68.0 and several XML files that each reference a corresponding XSL file stopped loading as they always have. One example follows:
The file ASTest_Appl_Events..xml contains the following
<?xml version="1.0" encoding="ISO-8859-1"?> <?xml-stylesheet type="text/xsl" href="ASTest_Appl_Events.xsl"?> <ASTestApplEvents> <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Report Server Windows Service (MSSQLSERVER)'/><EventID Qualifiers='0'>107</EventID><Level>2</Level><Task>5</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2019-07-08T10:01:35.000000000Z'/><EventRecordID>270493</EventRecordID><Channel>Application</Channel><Computer>ASTest</Computer><Security/></System><EventData><Data>Report Server Windows Service (MSSQLSERVER)</Data></EventData></Event> <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-User Profiles Service' Guid='{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}'/><EventID>1530</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-07-08T10:00:10.973301100Z'/><EventRecordID>270438</EventRecordID><Correlation/><Execution ProcessID='848' ThreadID='524'/><Channel>Application</Channel><Computer>ASTest</Computer><Security UserID='S-1-5-18'/></System><EventData Name='EVENT_HIVE_LEAK'><Data Name='Detail'>1 user registry handles leaked from \Registry\User\S-1-5-21-659900985-4002748794-950523200-1002: Process 300 (\Device\HarddiskVolume3\Windows\System32\conhost.exe) has opened key \REGISTRY\USER\S-1-5-21-659900985-4002748794-950523200-1002\Control Panel\International </Data></EventData></Event> </ASTestApplEvents>
The file ASTest_Appl_Events.xsl contains:
<?xml version="1.0" encoding="ISO-8859-1"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:MSEvent="http://schemas.microsoft.com/win/2004/08/events/event"> <xsl:template match="/"> <html> <body> <title>ASTest Appl Events</title> <table><tr> <td><h3>ASTest Application Events</h3></td> <td width="100"> </td> </tr></table> <table border="1" style="border-collapse:collapse;font-size:14px;" cellpadding="4"> <tr bgcolor="black" style="color:white"> <td>Server</td> <td>Event Type</td> <td>Provider</td> <td>Event ID</td> <td>Time (Mar-Oct subtract 4 hours, Nov-Feb subract 5 hours)</td> <td>Level</td> <td>Event Data</td> <td>User Data</td> </tr> <xsl:for-each select="ASTestApplEvents/MSEvent:Event"> <xsl:sort select="MSEvent:System/MSEvent:TimeCreated/@SystemTime" order="descending" /> <tr bgcolor="lightgray"> <td><xsl:value-of select="MSEvent:System/MSEvent:Computer"/></td> <td><xsl:value-of select="MSEvent:System/MSEvent:Channel"/></td> <td><xsl:value-of select="MSEvent:System/MSEvent:Provider/@Name"/></td> <td><xsl:value-of select="MSEvent:System/MSEvent:EventID"/></td> <td><xsl:value-of select="MSEvent:System/MSEvent:TimeCreated/@SystemTime"/></td> <xsl:choose> <xsl:when test="MSEvent:System/MSEvent:Level=1"> <td style="color:orange;">CRITICAL<br></br>( <xsl:value-of select="MSEvent:System/MSEvent:Level"/>) </td> </xsl:when> <xsl:when test="MSEvent:System/MSEvent:Level=2"> <td style="color:red;">ERROR<br></br>( <xsl:value-of select="MSEvent:System/MSEvent:Level"/>) </td> </xsl:when> <xsl:when test="MSEvent:System/MSEvent:Level=3"> <td style="color:green;">WARNING<br></br>( <xsl:value-of select="MSEvent:System/MSEvent:Level"/>) </td> </xsl:when> <xsl:otherwise> <td>(<xsl:value-of select="MSEvent:System/MSEvent:Level"/>)</td> </xsl:otherwise> </xsl:choose> <td><xsl:for-each select="MSEvent:EventData/MSEvent:Data"> <img src="Blue_dot(sm).jpg"/> <strong><em><xsl:value-of select="./@Name"/>:</em></strong> <xsl:value-of select="."/><br></br> </xsl:for-each></td> <td><xsl:for-each select="MSEvent:UserData"> <img src="Blue_dot(sm).jpg"/> <strong><em><xsl:value-of select="./@Name"/>:</em></strong> <xsl:value-of select="."/> </xsl:for-each></td> </tr> </xsl:for-each> </table> </body> </html> </xsl:template> </xsl:stylesheet>
Screen shots of what I used to see (html generated by an Online XSL Transformer) and currently see are attached.
Any assistance would be appreciated.
Thanks, Kurt H
Modified by cor-el
Chosen solution
So in another request: Firefox local development "CORS request not http", I found the suggestion to toggle the value of the about:config setting privacy.file_unique_origin. Doing so resolved my page load issue, but at the same time feels like it could leave my browser far less safe.
Read this answer in context 👍 0All Replies (17)
Hi Kurt, the site "eats" certain tags, but I see you have:
<?xml version="1.0" encoding="ISO-8859-1"?> <?xml-stylesheet type="text/xsl" href="ASTest_Appl_Events.xsl"?>
Are these being served on http/https, or opened from disk (file URL)? If you right-click the page and choose View Page Info, does it have an XML content-type such as application/xml or text/xml?
On the style sheet, I notice it uses an unusual namespace, although that might not matter:
<?xml version="1.0" encoding="ISO-8859-1"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:MSEvent="http://schemas.microsoft.com/win/2004/08/events/event">
Could you check for messages in Firefox's Web Console? You can open the Web Console in the lower part of the tab using either:
- "3-bar" menu button > Web Developer > Web Console
- (menu bar) Tools > Web Developer > Web Console
- (Windows) Ctrl+Shift+k
Then reload the page in the upper part of the tab and watch for error or security messages. Anything that sounds like it could be relevant? You can expand the list by using the row of headings starting with Errors Warning Logs in case there are messages in other categories.
My files are being opened from the command line as a file URL: start "" "C:\Program Files\Mozilla Firefox\firefox.exe" c:\Workspace\ASTest_Appl_Events.xml
Thanks for the information on the Web Console. I see from it that it's not reading my XLS file due to the Same Origin Policy, apparently because the request is not http. I'll have to see if there is a way to override that policy for specific locations on my network.
Modified by Kurt H
Chosen Solution
So in another request: Firefox local development "CORS request not http", I found the suggestion to toggle the value of the about:config setting privacy.file_unique_origin. Doing so resolved my page load issue, but at the same time feels like it could leave my browser far less safe.
Kurt H said
So in another request: Firefox local development "CORS request not http", I found the suggestion to toggle the value of the about:config setting privacy.file_unique_origin. Doing so resolved my page load issue, but at the same time feels like it could leave my browser far less safe.
You beat me to it.
As for the safety of it, it is a theoretical basis for an attack. The problem could arise when you open an untrusted page in a folder with sensitive files. If you save pages from untrusted sites in a separate folder, e.g., Downloads\Untrusted, then it would be difficult for an attacker to find any valuable content using local file links.
I create xml files in a ..\reports directory They reference a stylesheet e.g.: '.\SurveyRespondentList.xsl'
The most recent Firefox Quantum 68.0 (64-bit) appears to be 'broken' Previous versions have worked over the years The newest version apparently broke something. My reports also work on Internet Explorer 11 My applications are open to all and I have been using this approach to create and display database query reports for years.
Modified by anderci
anderci said
The newest version apparently broke something.
Yes, there was a security patch which restricts local file loads by local pages. As noted in the solution at the top, you can roll back that patch:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste uniq and pause while the list is filtered
(3) Double-click the privacy.file_unique_origin preference to switch the value from true to false
Thank you for responding. How does this help any/all users trying to view __.xml report files? If they are using Firefox, they would be using the default version.
anderci said
How does this help any/all users trying to view __.xml report files? If they are using Firefox, they would be using the default version.
This change I mentioned is for file:// URLs. It shouldn't affect opening XML files from a server on a http:// or https:// URL.
Thank you for responding. ALL of the report files are file:// URLs created for the user on their local PC by the programs I created for their use on their local PC. This approach has worked very well for years.
Hi anderci, unfortunately your users either need to roll back this patch or view the XML files in a different browser.
1) Is the simple functionality I have used for years gone forever? Or will some eventual future patch restore it? 2) Can this patch rollback be handled by some type of script?
Hi anderci:
> 1) Is the simple functionality I have used for years gone forever? Or will some eventual future patch restore it?
The developers are aware that this patch created problems with HTML-based help documentation, but they weren't able to come up with a way to distinguish legitimate local links from potential attack links. In the future, they might come up with something to allow help documentation to work again and hopefully you would be able to benefit from that, but it's not likely to happen soon.
> 2) Can this patch rollback be handled by some type of script?
It's not very convenient to try to script changes to Firefox settings files because they are stored in profile folders with a randomized name. Also, I wouldn't recommend rolling back security patches applied to your customers' systems without their knowledge and consent. That might make you liable for a potential data breach.
Hi there,
You can install another Firefox ( Firefox ESR)as dual-installation to solve this issue. Means you have two Firefoxes on one OS: Firefox 68(or later) and Firefox 60 ESR. It might not be a complete solution(this is an important point in the context of your manner) but it works. For instance, to open an XML file including an XSL file uses Firefox 60 ESR, to Internet browsing uses Firefox 68 or later. Don't use Firefox 68 ESR(or later) as this way because it works the same to Firefox 68 in terms of the CORS.(see MDN web docs 'Reason: CORS request not HTTP' > Local File Security in Firefox 68 ). Now your latest Firefox keeps CORS security while your Firefox ESR is downgraded at the old version of CORS.
This solution aims to debug the XML/XSL that placed on local with Firefox. (file:///folder.../xxx.xml)
To install Firefox ESR as the addition, choosing custom install is a must to pre-create a 'Mozilla Firefox ESR' folder that Firefox ESR will be installed. If you are using Windows, open 'Run' and enter-in 'firefox -p' then press Enter, You can create a new profile to use with the Firefox ESR. It might better that choose another folder that is different from Firefox Quantum already installed. As a preparation, open Firefox already installed, go help > Troubleshooting Information.
firefox esr 60: https://www.mozilla.org/en-US/firefox/organizations/
This change seems to be causing problems in various places. Can I temporarily change the value of privacy.file_unique_origin by command line option? Chrome has options like --allow-file-access-from-files.
Modified by satakagi
Hi satakagi, there is not a command-line switch to flip that preference from true to false.
Thank you for answering. As I faced this problem in my project too, I solved it by changing to a test using google Chrome recently. I would be glad if you could support future command line options like Chrome's --allow-file-access-from-files.
Another approach is to modify the .xml file to imbed the XSLT code. I believe this works with Firefox 68 and Firefox 64 and Chrome 75 but not with IE 11. Very unfortunately I know of no clear trend among web browsers to reject the 'reports' with .xml and .xsl paired files and to accept .xml files with the embedded xslt style code. Also, I have not learned the clean way of doing this embedded style code .