Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2005-20

XSLT can include stylesheets from arbitrary hosts

Announced
February 24, 2005
Reporter
Georgi Guninski
Risk
High
Impact
Low
Products
Firefox, Mozilla Suite
Fixed in
  • Firefox 1.0.1
  • Mozilla Suite 1.7.6

Description

xsl:include and xsl:import can include XSLT stylesheets from arbitrary domains including those behind the user's firewall. This at least allows for existence checking of these files; it's not clear how much, if any, data could be extracted from arbitrary XML files.

Workaround

Upgrade to a fixed build.

References