In the Update 15 release notes, there's this: >...
# adobe
t
In the Update 15 release notes, there's this:
If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same.
What does that mean, exactly? Like,
XMLParse("a/path/to/an/xml/file.xml")
no longer works unless I set that flag? (in the JVM args? In the Application.cfc? the docs are a bit sparse here...)
That must not be what it means, because
XMLParse("<https://an/xml/file>")
is still working.
r
I’ll be curious to know what you figure out with this, as our apps work extensively with XML processing.
t
@priyank_adobe do you have any insights here?
r
@Tim I’m seeing something similar on the first dev box I sacrificed to this update: we’re parsing XML files based on a full path to the file and I’ve not done any server config related to that noted flag.
m
I was assuming it was referring to the XPath in
xmlSearch
, but still not clear on what is disallowed since slashes are going to be extremely common for that.
t
yeah -- that was my second thought. but / is vital to how XPath works. And the same file that I have parsing XML files then runs a bunch of XmlSearch on them and all that was working too.
And then I thought well maybe they mean / in the xml files themselves? but that doesn't make sense either, because it's not allowed in tag values, except in closing tags where it's mandatory... And like schema definition references aren't blowing it up.
@Mark Takata (Adobe) do you have any details about this?
m
@saghosh can you speak to the language used and how it relates to the meaning re: XML?
b
I haven't exhaustively tested this, but I can trigger the error:
Expression Unable to process the XML string as it could probably contain file paths.
for an XSLT style sheet passed to XMLTransform() contains slashes or backslashes. But it also appears to trigger on
<\xsl:stylesheet>
, which I don't think is right
p
Sorry about delay in response but this change is for xmltransform()
@Brian Reilly can you try the flag which is mentioned in the helpx.
t
@Brian Reilly shouldn't that be
</xsl:stylesheet>
? The backslash there seems wrong.
b
@priyank_adobe Sure - I can try. It's not directly impacting me, and I'm happy to take the conversation offline. I'm one of the folks who reported XMLTransform() issues. For security reasons, you may want to strip / and \ in some xsl elements, but there are lots of places where you will want or need them (or where they'll be innocuous) -- such as
</xsl:stylesheet>
and
<xsl:stylesheet version="1.0" xmlns:xsl="<http://www.w3.org/1999/XSL/Transform>">
👍 1
@Tim Ah - you're right. copy/paste error as I tried both / and \ since the Adobe note mentioned both.
</xsl:stylesheet>
behaves the same way -- it will return the "Expression Unable to process the XML string as it could probably contain file paths." error
t
@priyank_adobe adding to the list of places you'd want/need
/
in a transform... embedded XPath selectors. So really,
XmlTransform
is now useless, unless you enable that flag. because the xsl parameter of that function is not allowed to have / in it. But it takes an XML string which is required to have / in it...
1️⃣ 1
222 Views