Why does IE prompt a security warning when viewing an XML file?
Posted
by Tav
on Stack Overflow
See other posts from Stack Overflow
or by Tav
Published on 2010-03-08T01:28:09Z
Indexed on
2010/03/08
1:35 UTC
Read the original article
Hit count: 294
Opening an XML file in Internet explorer gives a security warning. IE has a nice collapsible tree view for viewing XML, but it's disabled by default and you get this scary error message about a potential security hole. http://www.leonmeijer.nl/archive/2008/04/27/106.aspx
But why? How can simply viewing an XML file (not running any embedded macros in it or anything) possibly be a security hole? Sure, I get that running XSLT could potentially do some bad stuff, but we're not talking about executing anything. We're talking about viewing. Why can't IE simply display the XML file as text (plus with the collapsible tree viewer)?
So why did they label this as a security hole? Can someone describe how simply viewing an XML document could be used as an attack document?
© Stack Overflow or respective owner