cfml

In the Update 15 release notes, there's this:
&gt; If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same.
What does that mean, exactly?  Like, `XMLParse("a/path/to/an/xml/file.xml")` no longer works unless I set that flag?  (in the JVM args? In the Application.cfc?  the docs are a bit sparse here...)

That must not be what it means, because `XMLParse("<https://an/xml/file>")` is still working.

I’ll be curious to know what you figure out with this, as our apps work extensively with XML processing.

<@U0BJHDX1Q> do you have any insights here?

<@U1J54532B> I’m seeing something similar on the first dev box I sacrificed to this update: we’re parsing XML files based on a full path to the file and I’ve not done any server config related to that noted flag.

I was assuming it was referring to the XPath in `xmlSearch`, but still not clear on what is disallowed since slashes are going to be extremely common for that.

yeah -- that was my second thought. but / is vital to how XPath works. And the same file that I have parsing XML files then runs a bunch of XmlSearch on them and all that was working too.

And then I thought well maybe they mean / in the xml files themselves?  but that doesn't make sense either, because it's not allowed in tag values, except in closing tags where it's mandatory... And like schema definition references aren't blowing it up.

<@U01EY27APNH> do you have any details about this?

<@U0BJDA84R> can you speak to the language used and how it relates to the meaning re: XML?

I haven't exhaustively tested this, but I can trigger the error: `Expression Unable to process the XML string as it could probably contain file paths.`  for an XSLT style sheet passed to XMLTransform() contains slashes or backslashes.  But it also appears to trigger on `&lt;\xsl:stylesheet&gt;`, which I don't think is right

Sorry about delay in response but this change is for xmltransform() 

<@U01V33GMEBV> can you try the flag which is mentioned in the helpx. 

<@U01V33GMEBV> shouldn't that be `&lt;/xsl:stylesheet&gt;`?  The backslash there seems wrong.

<@U0BJHDX1Q> Sure - I can try.  It's not directly impacting me, and I'm happy to take the conversation offline.  I'm one of the folks who reported XMLTransform() issues.  For security reasons, you _may_ want to strip / and \ in _some_ xsl elements, but there are lots of places where you will want or need them (or where they'll be innocuous) -- such as `&lt;/xsl:stylesheet&gt;` and `&lt;xsl:stylesheet version="1.0" xmlns:xsl="<http://www.w3.org/1999/XSL/Transform>"&gt;`

<@U1J54532B> Ah - you're right.  copy/paste error as I tried both / and \ since the Adobe note mentioned both.  `&lt;/xsl:stylesheet&gt;` behaves the same way -- it will return the "Expression Unable to process the XML string as it could probably contain file paths." error

<@U0BJHDX1Q> adding to the list of places you'd want/need `/` in a transform... embedded XPath selectors.

So really, `XmlTransform` is now useless, unless you enable that flag.  because the xsl parameter of that function is not allowed to have / in it.  But it takes an XML string which is required to have / in it...