PHP :: Bug #53063 :: <xsl:include> and <xsl:import> are broken

Bug #53063

<xsl:include> and <xsl:import> are broken

Submitted:

2010-10-14 08:37 UTC

Modified:

2014-12-30 10:41 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

robin2008 at altruists dot org

Assigned:

Status:

No Feedback

Package:

XSLT related

PHP Version:

5.3.3

OS:

Ubuntu 10.04

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	robin2008 at altruists dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2010-10-14 08:37 UTC] robin2008 at altruists dot org

Description:
------------
Somewhere between 5.3.0 and 5.3.2, the security model for XSL has been over tightened. XSL stylesheets which refer to other stylesheet by <xsl:import> or <xsl:include> now fail to work.

Test script:
---------------
<?php
// PHP 5.3.2 XSLT BUG - <xsl:import> (and <xsl:include>) are broken

$aDOM= 		 new DOMDocument();
$aDOM->loadXML('<?xml version="1.0"?><etc/>');
$stylesheet= new DOMDocument();
$proc=       new XSLTProcessor();
$stylesheet->loadXML('<?xml version="1.0"?><stylesheet version="1.0" xmlns="http://www.w3.org/1999/XSL/Transform"><import href="somesheet.xslt"/><template match="/"/></stylesheet>');

$proc->importStyleSheet($stylesheet); 
$oops= $proc->transformToDoc($aDOM);

?>

Expected result:
----------------
Assuming there is a valid stylesheet at "somesheet.xslt", the transform should work as per the W3C spec.

Am I missing something? Is there, for example, a way to set this security default somewhere? Or a class method for XSLTProcessor to disable this?

Actual result:
--------------
Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: error in /home/robin/f2f/hardcode/xsl-import.php on line 10

Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: Local file read for /home/robin/f2f/hardcode/somesheet.xslt refused in /home/robin/f2f/hardcode/xsl-import.php on line 10

Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: error in /home/robin/f2f/hardcode/xsl-import.php on line 10

Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: xsl:import: read rights for /home/robin/f2f/hardcode/somesheet.xslt denied in /home/robin/f2f/hardcode/xsl-import.php on line 10

Warning: XSLTProcessor::transformToDoc() [xsltprocessor.transformtodoc]: No stylesheet associated to this object in /home/robin/f2f/hardcode/xsl-import.php on line 11

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-12-02 09:30 UTC] r3wald at gmail dot com

Please have a look at: http://bugs.php.net/bug.php?id=52257 .

I had exactly the same issue as you have. Disabling redland.so finally resolved 
it.

Robert

[2013-12-02 13:32 UTC] mike@php.net

-Status: Open +Status: Feedback

[2013-12-02 13:32 UTC] mike@php.net

Cannot reproduce.

[2013-12-02 13:56 UTC] r3wald at gmail dot com

Ditto. No problems anymore.

[2014-12-30 10:41 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 23:00:02 2025 UTC