exported xml files are downloaded instead of displayed

[catphive@…]

Checked in xml documents that have attached stylesheets and xsl are downloaded instead of displayed when using the export:/my_path/my_doc.xml links.

To reproduce the problem, check in an xml document such as this that processes itself: http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml

also check in the stylesheet and xsl in the same directory so they can be referenced: http://google-styleguide.googlecode.com/svn/trunk/styleguide.css http://google-styleguide.googlecode.com/svn/trunk/styleguide.xsl

Now add a export link to your wiki: export:/my_path_to/cppguide.xml

The correct behavior would be to send the xml document to the browser like a normal html doc. Instead it has the browser download it (probably the mime type is wrong for exported xml documents).

[nkantrowitz]

Allowing the browser to render it is a security risk, as it could contain Javascript, etc. All raw-mode views are specifically tagged as downloads.

[catphive@…]

The export feature is documented here as being useful for viewing html pages: http://trac.edgewall.org/wiki/TracLinks

There's ongoing threads in trac users with people confused why this doesn't work (with html pages) based on looking at the documentation: http://groups.google.com/group/trac-users/browse_thread/thread/f09a2806c367b17

Is there any way to change this behavior via configuration? This is extremely annoying to me. Also, SVN isn't an internet forum where anonymous posting is allowed, so in the vast majority of cases this isn't a security problem. It certainly isn't to me.

[nkantrowitz]

Most browsers have a "View" option on the download dialog. The important thing is this won't execute the page within the URL context of the Trac site. There is no option to control it, though you could probably do some interesting things with a plugin.

[cboos]

Replying to catphive@…:

The export feature is documented here as being useful for viewing html pages: http://trac.edgewall.org/wiki/TracLinks

What's missing from the docs is that if you want this behavior, you need to explicitly disable the "forced download" behavior, in TracIni#browser-section:

[browser]
render_unsafe_content = yes

Quoting from the TracIni#browser-section:

Pretty much any file may be interpreted as HTML by the browser, which allows a malicious user to attach a file containing cross-site scripting attacks.

That's why this setting is set to no by default, in which case the Content-Disposition is always set to attachment.

Also, "interpreting anything as HTML" (or xml for that matter) vastly depends on the browser. IExplorer will happily render the above document even when it's sent back as text/plain. Other browsers will only attempt to apply the .xsl stylesheet when the mimetype is actually text/xml, which is the case when the filename ends with .xml.

[cboos]

Documentation fixed in TracLinks@63.