Yes, I did not think resolve-uri contained any magic.
Only having a hazy grasp of the internal workings of xxe, I had been
hoping that the system property could be a url object which would use
the catalog resolver (either when its value was set, or when it was
referenced).
In fact the catalog lookup happens before the value of the property is
set and the property is just a string.
Philip Nye
Hussein Shafie wrote:
> Philip Nye wrote:
>> Hussein Shafie wrote:
>>> Philip Nye wrote:
>> ...
>>
>>>> Can I write something like this:
>>>>
>>>> <get expression="sys:setProperty('BASE_LOCATION', $new_value)"/>
>>>>
>>>> and have the new location resolve via the catalog?
>>>>
>>> Yes, in principle, this should work.
>>>
>> Unfortunately it doesn't!
>>
>> Unless I have missed something, the new value does not resolve through
>> the catalog, either when it is set, or when it is used. Is there a way
>> to tell sys:setProperty that the property is a URL?
>>
>
> In your previous email, you have written this:
>> <get expression="sys:getProperty('BASE_LOCATION')"/>
>> <get expression="resolve-uri($relURL, %_)"/>
>> <command name="viewHTML" parameter="%_"/>
>
> The XML catalog is *not* used here. In this macro, you just say: if
> $relURL is a relative URL, resolve it against the value of system
> property 'BASE_LOCATION'.
>
> You can call this system property 'FOO' if you want, it would work the same.
>
> Now:
> ---
> <get expression="sys:setProperty('BASE_LOCATION', $new_value)"/>
> ---
> allows to assign property 'BASE_LOCATION' from within a macro (please,
> put a trace -- <macro trace="true"> -- to check it is actually working,
> because I'm not 100% sure).
>
> Of course, variable $new_value must contain the string representation of
> an *absolute* URL.
>
> I don't see why you would want to do that, but macro1 can assign system
> property BASE_LOCATION and after that, macro2 can use the value of
> system property BASE_LOCATION to resolve relative URLs.
>
>
>
> ---
> PS: resolve-uri() is a standard XPath 2 function. Its behavior is very
> well-defined here: http://www.w3.org/TR/xpath-functions/#func-resolve-uri
>
> You'll see in the standard that resolve-uri() has nothing to do with XML
> catalogs.
>
