Opening an XML file in Internet explorer gives a security warning. IE has a nice collapsible tree view for viewing XML, but it’s disabled by default and you get this scary error message about a potential security hole.
http://www.leonmeijer.nl/archive/2008/04/27/106.aspx
But why? How can simply viewing an XML file (not running any embedded macros in it or anything) possibly be a security hole? Sure, I get that running XSLT could potentially do some bad stuff, but we’re not talking about executing anything. We’re talking about viewing. Why can’t IE simply display the XML file as text (plus with the collapsible tree viewer)?
So why did they label this as a security hole? Can someone describe how simply viewing an XML document could be used as an attack document?
IE is still rendering the document even though in the end it’s showing you that nice tree view you like. What it is actually showing you is a transformed version of the XML file. IIRC it transforms the the doc to DHTML using XSLT. So the doc is still being run through its rendering engine. If, in the course of rendering the document, a tag shows up that says something like
IE will probably fetch the object and load it into the document. If the object is a malcious ActiveX control or a bit of nasty Java it’ll get run.