Why does IE prompt a security warning when viewing an XML file?

Posted by Tav on Stack Overflow See other posts from Stack Overflow or by Tav
Published on 2010-03-08T01:28:09Z Indexed on 2010/03/08 1:35 UTC
Read the original article Hit count: 262

Filed under:

ie

|

Xml

Opening an XML file in Internet explorer gives a security warning. IE has a nice collapsible tree view for viewing XML, but it's disabled by default and you get this scary error message about a potential security hole. http://www.leonmeijer.nl/archive/2008/04/27/106.aspx

But why? How can simply viewing an XML file (not running any embedded macros in it or anything) possibly be a security hole? Sure, I get that running XSLT could potentially do some bad stuff, but we're not talking about executing anything. We're talking about viewing. Why can't IE simply display the XML file as text (plus with the collapsible tree viewer)?

So why did they label this as a security hole? Can someone describe how simply viewing an XML document could be used as an attack document?

© Stack Overflow or respective owner

Related posts about ie

Excel document opens in IE 64, not in IE 32

as seen on Super User - Search for 'Super User'
Whenever I click on a hyperlink to a scrip that outputs an Excel 8 document, I get a prompt from IE to open the file or save-as. If I click open in IE 32 bit, the document opens in Excel (which is what I want). If I click open in the 64 bit version of IE, the document opens in the browser. How… >>> More
Unable to either locate any wireless networks nor even connect to wifi

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I'm new to Linux. I currently have installed ubuntu 12.10. I had a previous problem with my wireless card (see url to see previous problem : How to enable wireless in a Fujitsu LH532?). It now shows Connect to hidden network and create new wireless network but now unfortunately it simply cannot find… >>> More
Java Problem when i upgraded from IE 7 to IE 8

as seen on Server Fault - Search for 'Server Fault'
I face problem with upgrading IE8 related to JAVA. The problem only with IE8, IE7 is OK and I have the latest Java version. After I upgrade the IE8, the graphics which has dynamics reading from the server is not updating and it shows NaN. I tried the following : - upgrade the server win2003 with latest… >>> More
Why version of chrome does not matter much more then firefox and firefox does not matter much as IE

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Everything not perfect. in software the software make and growth by user feedback like what user expected from the software and want in next version of software. In a chrome Event i hear about the Chromium. you can find some interesting things here Video 1 Video 2 come to the point. when i hear… >>> More
Problem display in IE 7 & IE 6 - simplemodal-1.3.4 and Jquery 1.4.2

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a link, after click this link, a modal was displayed. I used ModalDialog with code: $(document).ready(function() { //linkTTT is link id $("a#linkTTT").click(function() { //content is id of div that contains content $("#content").modal({ onOpen: function(dialog)… >>> More

Related posts about Xml

Store XML,update record in XML,retrive a specific record in XML stored on BB device

as seen on Stack Overflow - Search for 'Stack Overflow'
I am writing a blackberry application where i want to store the data returned by a web service in my BB device.Earlier i was going to use SQLite for storing the data in mobile but as i googled and also did programming using SQLite and found that some BB devices dont support SQLite library and fail… >>> More
gwt+xml- can i read through incomplete XML using the GWT XML Parser

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a requirement where a user is typing in XML in a text area, and I want to show the various nodes in a tree...But as the user is typing in the xml, it wont be a complete xml (since he is still typing in the XML)... How do I read an incomplete XML and correctly generate the tree? I understand… >>> More
perl xml parser get xml content within xml

as seen on Stack Overflow - Search for 'Stack Overflow'
How can I use XMLParser to get the item-@url, item-@replace and item-"value inside" for the content as a string of the node where item-@cone="one"? <cstep> <item cone="one" url="http://google.com/{ccc}/cthree" replace="{ccc}"> <itemsub conesub="conesub"> … >>> More
Reading php generated XML in flash?

as seen on Stack Overflow - Search for 'Stack Overflow'
Here is part 1 of our problem (Loading a dynamically generated XML file as PHP in Flash). Now we were able to get Flash to read the XML file, but we can only see the Flash render correctly when tested(test movie) from the actual Flash program. However, when we upload our files online to preview the… >>> More
Announcing RSS feeds of Microsoft All-In-One Code Framework code samples

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Today, we are not only announcing Sample Browser v2 CTP, but we are also excited to announce the availability of RSS feeds of All-In-One Code Framework code samples. By using these feeds, you can easily track and download the new code samples. English RSS feeds All code samples: http://support… >>> More