Edgewall Software
Modify

Opened 16 years ago

Closed 16 years ago

#7603 closed defect (fixed)

exported xml files are downloaded instead of displayed

Reported by: catphive@… Owned by: Christian Boos
Priority: normal Milestone: 0.11.2
Component: version control/browser Version: 0.11.1
Severity: normal Keywords: xml svn browser wiki
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Checked in xml documents that have attached stylesheets and xsl are downloaded instead of displayed when using the export:/my_path/my_doc.xml links.

To reproduce the problem, check in an xml document such as this that processes itself: http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml

also check in the stylesheet and xsl in the same directory so they can be referenced: http://google-styleguide.googlecode.com/svn/trunk/styleguide.css http://google-styleguide.googlecode.com/svn/trunk/styleguide.xsl

Now add a export link to your wiki: export:/my_path_to/cppguide.xml

The correct behavior would be to send the xml document to the browser like a normal html doc. Instead it has the browser download it (probably the mime type is wrong for exported xml documents).

Attachments (0)

Change History (6)

comment:1 by Noah Kantrowitz, 16 years ago

Resolution: wontfix
Status: newclosed

Allowing the browser to render it is a security risk, as it could contain Javascript, etc. All raw-mode views are specifically tagged as downloads.

comment:2 by catphive@…, 16 years ago

Resolution: wontfix
Status: closedreopened

The export feature is documented here as being useful for viewing html pages: http://trac.edgewall.org/wiki/TracLinks

There's ongoing threads in trac users with people confused why this doesn't work (with html pages) based on looking at the documentation: http://groups.google.com/group/trac-users/browse_thread/thread/f09a2806c367b17

Is there any way to change this behavior via configuration? This is extremely annoying to me. Also, SVN isn't an internet forum where anonymous posting is allowed, so in the vast majority of cases this isn't a security problem. It certainly isn't to me.

comment:3 by Noah Kantrowitz, 16 years ago

Resolution: wontfix
Status: reopenedclosed

Most browsers have a "View" option on the download dialog. The important thing is this won't execute the page within the URL context of the Trac site. There is no option to control it, though you could probably do some interesting things with a plugin.

in reply to:  2 comment:4 by Christian Boos, 16 years ago

Resolution: wontfix
Status: closedreopened

Replying to catphive@…:

The export feature is documented here as being useful for viewing html pages: http://trac.edgewall.org/wiki/TracLinks

What's missing from the docs is that if you want this behavior, you need to explicitly disable the "forced download" behavior, in TracIni#browser-section:

[browser]
render_unsafe_content = yes

Quoting from the TracIni#browser-section:

Pretty much any file may be interpreted as HTML by the browser, which allows a malicious user to attach a file containing cross-site scripting attacks.

That's why this setting is set to no by default, in which case the Content-Disposition is always set to attachment.

Also, "interpreting anything as HTML" (or xml for that matter) vastly depends on the browser. IExplorer will happily render the above document even when it's sent back as text/plain. Other browsers will only attempt to apply the .xsl stylesheet when the mimetype is actually text/xml, which is the case when the filename ends with .xml.

comment:5 by Christian Boos, 16 years ago

Milestone: 0.11.2
Owner: set to Christian Boos
Status: reopenednew

comment:6 by Christian Boos, 16 years ago

Resolution: fixed
Status: newclosed

Documentation fixed in TracLinks@63.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christian Boos.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christian Boos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.