XSL 在 Google Chrome 中不起作用 [英] XSL not working in Google Chrome
问题描述
我已经看到很多关于此的帖子......但我一生都无法弄清楚我的问题是什么!当我尝试使用 XSL 转换 XML 时,Google Chrome 仅显示一个空白页面.当我查看源代码时,我看到的是原始 XML.IE 有效.
I've seen plenty of posts all around about this... but I can not, for the life of me, figure out what my problem is! Google Chrome just displays a blank page when I try to transform XML with XSL. When I view source, I see the raw XML. IE works.
我有一个像这样的 XML 文档...
I have an XML document that looks like this...
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="http://localhost/xsl/listXSL.php"?>
<links>
<link id="1" name="Google Home Page" url="http://www.google.com/" clicks="0" />
<link id="2" name="Facebook" url="http://www.facebook.com/" clicks="1" />
<link id="3" name="Gmail" url="http://gmail.com" clicks="2" />
</links>
...然后链接的 XSL 文件看起来像这样...
... and then the linked XSL file which looks like this...
<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:for-each select="links/link">
<a>
<xsl:attribute name="href">
<xsl:value-of select="@url" />
</xsl:attribute>
<xsl:value-of select="@name" />
</a><br />
</xsl:for-each>
</xsl:template>
</xsl:stylesheet>
您可能会注意到 XSL 文件实际上是一个 PHP 文件,但这在其他浏览器中运行良好,我尝试将其更改为 .xsl 以用于 Chrome,但没有帮助.我在这里做错了什么?
You might notice that the XSL file is actually a PHP file, but this works fine in other browsers and I've tried changing it to .xsl for Chrome, but it doesn't help. What I'm doing wrong here?
推荐答案
这不起作用的原因是 Chrome 以有争议的方式解决了安全问题[1][2][3][4],通过阻止 XML 文件访问同一目录中的本地 XSLT 文件,而HTML文件可以访问同一目录中的.CSS文件就好了.
The reason this doesn't work is due to a security concern that Chrome has addressed in a controversial way[1][2][3][4], by blocking XML files from accessing local XSLT files in the same directory, while HTML files can access .CSS files in the same directory just fine.
Chrome 团队在 2008 年给出的理由是这个:
The justification given by the Chrome team in 2008 was this:
想象一下这个场景:
您收到一封来自攻击者的电子邮件,其中包含您下载的网页附件.
You receive an email message from an attacker containing a web page as an attachment, which you download.
您在浏览器中打开现在本地化的网页.
You open the now-local web page in your browser.
本地网页创建一个源为 https://mail.google.com/mail/.
The local web page creates an whose source is https://mail.google.com/mail/.
由于您已登录 Gmail,因此框架会加载收件箱中的邮件.
Because you are logged in to Gmail, the frame loads the messages in your inbox.
本地网页通过使用JavaScript访问frames[0].document.documentElement.innerHTML来读取frame的内容.(Internet 网页将无法执行此步骤,因为它来自非 Gmail 源;同源策略会导致读取失败.)
The local web page reads the contents of the frame by using JavaScript to access frames[0].document.documentElement.innerHTML. (An Internet web page would not be able to perform this step because it would come from a non-Gmail origin; the same-origin policy would cause the read to fail.)
本地网页将收件箱的内容放入 a 并通过表单 POST 将数据提交到攻击者的 Web 服务器.现在攻击者拥有您的收件箱,这可能对发送垃圾邮件或识别盗窃很有用.
The local web page places the contents of your inbox into a and submits the data via a form POST to the attacker's web server. Now the attacker has your inbox, which may be useful for spamming or identify theft.
Gmail 无法保护自己免受这次攻击.
There is nothing Gmail can do to defend itself from this attack.
我同意这很烦人,作为解决方案,您有 2 个解决方案:
I do agree it's annoying, as a fix you've got 2 solutions:
尝试使用
--allow-file-access-from-files开关运行 chrome(我自己没有测试过)
Try running chrome with the
--allow-file-access-from-filesswitch (I've not tested this myself)
上传到主机,一切都会好的.
Upload it to a host, and everything will be fine.
这篇关于XSL 在 Google Chrome 中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
