XML / XSL security problem

[Guest]

H

We have a download that produces an XML file (download.xml
This file has the following headers
<?xml version="1.0" encoding="WINDOWS-1252"?><?xml-stylesheet type="text/xsl" href="https://www.mysite.com/transformToExcel.xsl" ?><?mso-application progid="Excel.Sheet"?

When an Excel 2002+ user opens this it then loads the sylesheet (if they choose the correct option) and transforms our XML into Excel XML. All excellent stuff..

BU
in Excel 2002 (2003 is ok
if they have High Macro Security then Excel does not load or transform using the stylesheet, it just shows the XML dat
If they have medium security it warns them that there are unsigned macros and, if the select the default 'NO' option, it again does not do the transform

We do not have ANY script in our stylesheet
There are no macros etc

Is there any setting we can control, or get our clients to alter (aside from setting low or medium macro security), that would avoid this issue?

 

[Wei-Dong Xu [MSFT]]

Hi steve,

Thank you for using Microsoft newsgroup!

Currentlly we are performing some research on this problem, and we will
reply you as soon as possible if we get any results!

We greatly appreciate your patience!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Wei-Dong Xu [MSFT]]

Hi steve,

Thank you for the replying and patience!

Based on my research, Excel 2002 will treats all XSL files as potentially
harmful, similar to macro code. So in High security Excel will not give you
the option of applying the transform to the document. It should still open
the XML file without the transform.

Excel 2003 can determine whether or not an XSL contains anything that is
potentially harmful. So even in High security if the XSL doesn't contain
script (or several other attributes that could be dangerous) Excel will
still give you the option of applying the transform.

From your description, you are using one "safe" stylesheet, therefore Excel
2003 will apply it no matter what security mode is set.

Please feel free to let me know if you have any further questions. I am
standing by to be of assistance.

Does this answer your question? Thank you for using Microsoft NewsGroup!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Wei-Dong Xu [MSFT]]

Hi steve,

Furthermore, so far as I know, I'd suggest you will need to tell the users
to set the security level to Medium or Low in Excel 2002 when opening the
xml file which needs the xsl. If set to high, the security warning window
will appear. For Excel 2003 users, there will not be any warning window
popped up if the xml file contains no any "unsafe" script code.

Your customers can set the security to medium or low in two ways:
1) manually, the users should configure the security setting(located in
Tools->Macro->Security...->Security Level) to medium or low.
2) programming, you can create one signed xla add-in to control the
security before you open the xml file in Excel 2002. For example, you can
create one commandbar button in Excel 2002 and tell the customer to load
the xml through this button. After the user's click, the button will call
one macro to configure the security level to medium or low and then pop up
one OpenFile window for the customer to load the xml file. After the
modification or usage of this excel xml file, you can build one event
handler of BeforeClose event to set the security to High.
For the security configuration in VBA macro, the kb article 317405 will
introduce the security configuration code for you.
317405 OFFXP: How to Implement Application.AutomationSecurity
http://support.microsoft.com/?id=317405

Please feel free to let me know if you have any further questions. I am
standing by to be of service.

Enjoy a nice day!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[onedaywhen]

Furthermore, so far as I know, I'd suggest you will need to tell the users
to set the security level to Medium or Low in Excel 2002 when opening the
xml file which needs the xsl.

Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

MS Support advises users to lower their security settings?! I feel so
disillusioned!!

--

 

[Sonny Kocak[MSFT]]

Sonny Kocak
Microsoft Developer Community Support
Email : (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
| From: (e-mail address removed) (onedaywhen)
| Newsgroups: microsoft.public.excel.programming
| Subject: Re: XML / XSL security problem
| Date: 10 Feb 2004 07:30:30 -0800
| Organization: http://groups.google.com
| Lines: 14
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| NNTP-Posting-Host: 81.171.142.210
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1076427030 13447 127.0.0.1 (10 Feb 2004
15:30:30 GMT)
| X-Complaints-To: (e-mail address removed)
| NNTP-Posting-Date: Tue, 10 Feb 2004 15:30:30 +0000 (UTC)
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!newsfeed.gamma.ru!Gamma.RU!news.maxwell.syr.edu!po
stnews1.google.com!not-for-mail
| Xref: cpmsftngxa07.phx.gbl microsoft.public.excel.programming:461640
| X-Tomcat-NG: microsoft.public.excel.programming
|
| (e-mail address removed) (Wei-Dong Xu [MSFT]) wrote in message
|
| > Furthermore, so far as I know, I'd suggest you will need to tell the
users
| > to set the security level to Medium or Low in Excel 2002 when opening
the
| > xml file which needs the xsl.
|
| > Microsoft Product Support Services
| > Get Secure! - www.microsoft.com/security
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
|
| MS Support advises users to lower their security settings?! I feel so
| disillusioned!!
|
| --
|

 

[Sonny Kocak[MSFT]]

Steve,

Your last qestion: "what are the other attributes that would flag the
stylesheet as 'unsafe'??"? At this point, I am unable to track any
documented or verified information on any "other attribiutes". It would
improper to posted any hearsay or unconfirmed information. I will keep my
eyes and ears open on this. If I find any accurate or documented
information that be helpful than I will post it immedidately.


Sonny Kocak
Microsoft Developer Community Support
Email : (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
| Thread-Topic: XML / XSL security problem
| thread-index: AcPv3aHLTBjtwadjRbeORIIxsI1vTw==
| X-Tomcat-NG: microsoft.public.excel.programming
| From: =?Utf-8?B?U3RldmVC?= <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: RE: XML / XSL security problem
| Date: Tue, 10 Feb 2004 05:56:07 -0800
| Lines: 8
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.excel.programming
| Path: cpmsftngxa07.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.excel.programming:461587
| NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
| X-Tomcat-NG: microsoft.public.excel.programming
|
| Thanks for the ideas / tips. Should be able to work round the problem
now.

You say that in Excel 2003 it recognises whether a stylesheet can be
harmfull based on scripts "and other attributes"
I found out about the script issue so striped it all out of the stylesheet.
But what are the other attributes that would flag the stylesheet as
'unsafe'??

Thanks
Steve
|