Opened 16 years ago
Closed 16 years ago
#7603 closed defect (fixed)
exported xml files are downloaded instead of displayed
Reported by: | Owned by: | Christian Boos | |
---|---|---|---|
Priority: | normal | Milestone: | 0.11.2 |
Component: | version control/browser | Version: | 0.11.1 |
Severity: | normal | Keywords: | xml svn browser wiki |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Checked in xml documents that have attached stylesheets and xsl are downloaded instead of displayed when using the export:/my_path/my_doc.xml links.
To reproduce the problem, check in an xml document such as this that processes itself: http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml
also check in the stylesheet and xsl in the same directory so they can be referenced: http://google-styleguide.googlecode.com/svn/trunk/styleguide.css http://google-styleguide.googlecode.com/svn/trunk/styleguide.xsl
Now add a export link to your wiki: export:/my_path_to/cppguide.xml
The correct behavior would be to send the xml document to the browser like a normal html doc. Instead it has the browser download it (probably the mime type is wrong for exported xml documents).
Attachments (0)
Change History (6)
comment:1 by , 16 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
follow-up: 4 comment:2 by , 16 years ago
Resolution: | wontfix |
---|---|
Status: | closed → reopened |
The export feature is documented here as being useful for viewing html pages: http://trac.edgewall.org/wiki/TracLinks
There's ongoing threads in trac users with people confused why this doesn't work (with html pages) based on looking at the documentation: http://groups.google.com/group/trac-users/browse_thread/thread/f09a2806c367b17
Is there any way to change this behavior via configuration? This is extremely annoying to me. Also, SVN isn't an internet forum where anonymous posting is allowed, so in the vast majority of cases this isn't a security problem. It certainly isn't to me.
comment:3 by , 16 years ago
Resolution: | → wontfix |
---|---|
Status: | reopened → closed |
Most browsers have a "View" option on the download dialog. The important thing is this won't execute the page within the URL context of the Trac site. There is no option to control it, though you could probably do some interesting things with a plugin.
comment:4 by , 16 years ago
Resolution: | wontfix |
---|---|
Status: | closed → reopened |
Replying to catphive@…:
The export feature is documented here as being useful for viewing html pages: http://trac.edgewall.org/wiki/TracLinks
What's missing from the docs is that if you want this behavior, you need to explicitly disable the "forced download" behavior, in TracIni#browser-section:
[browser] render_unsafe_content = yes
Quoting from the TracIni#browser-section:
Pretty much any file may be interpreted as HTML by the browser, which allows a malicious user to attach a file containing cross-site scripting attacks.
That's why this setting is set to no by default, in which case the Content-Disposition is always set to attachment.
Also, "interpreting anything as HTML" (or xml for that matter) vastly depends on the browser. IExplorer will happily render the above document even when it's sent back as text/plain. Other browsers will only attempt to apply the .xsl stylesheet when the mimetype is actually text/xml, which is the case when the filename ends with .xml.
comment:5 by , 16 years ago
Milestone: | → 0.11.2 |
---|---|
Owner: | set to |
Status: | reopened → new |
comment:6 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Documentation fixed in TracLinks@63.
Allowing the browser to render it is a security risk, as it could contain Javascript, etc. All raw-mode views are specifically tagged as downloads.