Signs on the Sand

Mike Kay keeps teaching us XQuery. New installment of his XQuery tutorials series sponsored by the Stylus Studio, is called "Blooming FLWOR - An Introduction to the XQuery FLWOR Expression" and covers XQuery FLWOR expressions, "the workhorse of the XQuery language". ...

Just released Microsoft Core XML Services (MSXML) 6.0 introduces some security-related breaking changes in XML and XSLT processing, but MSXML6 SDK documentation isn't released yet (expected next week) and can be found nowhere on the net, so you might have a hard time wondering why basic things stop working after ...

MSXML6 is aligned with .NET 2.0 with regard to "secure by default" principle. That means that both MSXML6 and .NET 2.0 by default prohibit DTD (even internal subset) in XML documents, document() function and embedded scripts (ms:script) in XSLT stylesheets. Here is how you can enable processing these things if your XML or XSLT comes from a trusted source.

To allow processing DTD you set "ProhibitDTD" secondary property to false before loading XML:

var xmlDoc = new ActiveXObject("Msxml2.DOMDocument.6.0");
xmlDoc.async = false;
xmlDoc.validateOnParse = false;            
xmlDoc.setProperty("ProhibitDTD", false);           
xmlDoc.load("data.xml");

To enable document() function and embedded scripts in XSLT stylesheets you set "AllowDocumentFunction" and "AllowXsltScript" secondary properties to true, no matter before or after loading stylesheet, but before running a transformation:

var xslDoc = new ActiveXObject("Msxml2.DOMDocument.6.0");
xslDoc.async = false;
xslDoc.validateOnParse = false;            
xslDoc.setProperty("ProhibitDTD", false);           
xslDoc.setProperty("AllowDocumentFunction", true);
xslDoc.setProperty("AllowXsltScript", true);      
xslDoc.load("style.xslt");

Hope that helps. And keep an eye on MSDN XML Developer Center for MSXML6 SDK with complete documentation to be released soon.