2

According to the W3C recommendation (and according to W3C Schools), an XSL style sheet using XSLT should be declared as follows:

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

Question: Is http://www.w3.org/1999/XSL/Transform ever actually fetched over HTTP (as opposed to being bundled with web browsers, for instance), making XSL style sheets vulnerable to a man-in-the-middle attack? If so, how should this attack be countered?

(I checked with a packet sniffer and found no such request, but I do not consider that completely conclusive, since there might be some caching involved.)

Setup: A (trusted) web server is serving the following two files over HTTPS:

data.xml:

<?xml version="1.0" encoding="utf-8" ?>
<?xml-stylesheet type="text/xsl" href="style.xsl"?>
<root>
</root>

style.xsl:

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
    Output
</xsl:template>

A client (using for instance a modern web browser) accesses the data.xml file.

Proposed attack: If/when the web browser accesses http://www.w3.org/1999/XSL/Transform, an attacker substitutes something malicious, which transforms the XML into whatever the attacker wants, thereby bypassing the HTTPS authentication.

Anders
  • 64,406
  • 24
  • 178
  • 215
Eleron
  • 23
  • 2

1 Answers1

5

XML Namespaces are just strings in the format of URI's, not actual lookups:

XML namespaces provide a simple method for qualifying element and attribute names used in Extensible Markup Language documents by associating them with namespaces identified by URI references.

The request never occurs. If you go to http://www.w3.org/1999/XSL/Transform in your browser, you'll see that the page returned is just a bunch of related document links to help out people who accidentally go to the URL.

So there's no risk due to the lack of SSL as, while the string is formatted to be a URI, it is just a string.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55